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WHAT INFORMATION DO DATA BROKERS 
HAVE ON CONSUMERS, AND HOW DO THEY 

USE IT? 


WEDNESDAY, DECEMBER 18, 2013 

U.S. Senate, 

Committee on Commerce, Science, and Transportation, 

Washington, DC. 

The Committee met, pursuant to notice, at 2:31 p.m., in room 
SR-253, Russell Senate Office Building, Hon. John D. Rockefeller 
IV, Chairman of the Committee, presiding. 

OPENING STATEMENT OF HON. JOHN D. ROCKEFELLER IV, 
U.S. ENATOR FROM WEST VIRGINIA 

The Chairman. The Committee will come to order. 

There are, at this point, two people sitting at the dais, and they 
are two wonderful people, but I would be pleased if there were 
more. Senator Blumenthal and Senator Pryor, Senator Markey, 
Senator Fischer, Senator Warner will be here. 

But this is the day that we almost vote on the budget, actually. 
We don’t quite. We always find ways to do it. You have the motion 
to proceed to it, and then you have a motion to — whatever. And 
then tomorrow at some point we vote on the budget. Just be grate- 
ful you are in private life. 

[Laughter.] 

The Chairman. OK. You are all welcome. 

The disclosures about U.S. intelligence activities over the past 
few months have sparked a very public debate in this country 
about what kinds of information the government should be gath- 
ering and how we protect the privacy of Americans who have done 
nothing wrong. 

The Snowden disclosures have harmed our country’s national se- 
curity, but they have made Americans think more than they usu- 
ally do about how their lives, both online and offline, can be 
tracked, monitored, and analyzed. People are aware of that, not to 
the extent that they are in Great Britain, where they are so accus- 
tomed to being videotaped in everything they do. We are still going 
through that adjustment period. 

I am glad we are talking about these important privacy issues, 
in general and today. We have all benefited from the rapid ad- 
vances in computing technology, but we also cherish our personal 
freedoms. We always use that word, “cherish” our personal free- 
doms. But we do. And it is a complicated subject. And we want to 

( 1 ) 



2 


be able to protect ourselves and our loved ones from the unwanted 
gaze of the government and our neighbors. 

What has been missing from this conversation so far is the role 
that private companies play in collecting and analyzing our per- 
sonal information. A group of companies known collectively as 
“data brokers” are gathering massive amounts of data about our 
personal lives and selling this information to marketers. We don’t 
hear a lot about the private-sector data broker industry, but it is 
playing a large and growing role in our lives. 

Let me provide a little perspective. In the year 2012, which you 
will recall was last year, the data broker industry generated $156 
billion in revenues — that is more than twice the size of the entire 
intelligence budget of the United States Government — all gen- 
erated by the effort to learn about and sell the details about our 
private lives. Whether we know it or like it or not, makes no dif- 
ference. 

One of the largest data broker companies, Acxiom, recently 
boasted to its investors that it can provide, quote, “multi-sourced 
insight into approximately 700 million customers worldwide.” 

When government or law enforcement agencies collect informa- 
tion about us, they are restrained by our Constitution and our 
laws, and they are subject to the oversight of courts, inspectors 
general, and the United States Congress through the Intelligence 
Committee in the Senate and the House. 

And I have served on the Intelligence Committee since before 9/ 
11, and I can declare to you absolutely without a single thought 
that the protection that NSA provides to security and secrecy is far 
better than what we are going to be talking about today. They have 
rules. They have all kinds of judges and hoops that you have to 
jump through. The FBI is involved, DOJ. It is all — it is very tight. 

And every day you read the paper, you would think it didn’t 
exist, it is just the government gone wild. But particularly when 
it comes to domestic, which is called Section 215, it is very tightly 
monitored, and there is never content, there is never e-mail, and 
there is never a name — never a name. There is just a telephone 
number. 

But data brokers go about their business with little or no over- 
sight. While there are laws on the books that protect the privacy 
of Americans’ health and financial information, they do not cover 
data brokers’ marketing activities. 

Collecting consumers’ information for marketing purposes is not 
a new business. For decades before the Internet was invented, re- 
tailers, marketers, and, yes, political candidates compiled mailing 
lists that they used to send catalogs, coupon books, or other mate- 
rials to their potential customers. 

But the data broker industry has been revolutionized in recent 
years by the tremendous advances in computing and data analysis. 
And as consumers spend more and more time socializing and shop- 
ping online, they are generating rich new streams of personal data 
to collect and analyze, on the part of the data brokers. 

These days, data brokers don’t just know our address, our income 
level, our political affiliation, most probably, they probably know 
the weight of everybody in the family. They have collected thou- 
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sands of data points about each one of us, and we are simply not 
aware of it, except in theory. 

They know if you have diabetes or suffer from depression. They 
know if you smoke cigarettes. They know your reading habits, your 
browsing habits. They know how much you and your family mem- 
bers weigh. And they may even know how many whiskey drinks 
you have consumed in the last 30 days. 

We wouldn’t reveal that kind of information, would we? 

Senator Thune. Of course not. 

The Chairman. No. 

[Laughter.] 

The Chairman. Like the pieces of a mosaic, data brokers combine 
data points like these into startlingly detailed and intimate profiles 
of American consumers. 

Under current laws, we have no right to see these pictures of 
ourselves that these companies have created. We have no right. For 
the past year, this committee has been trying to bring some much- 
needed oversight to the data broker industry. 

Where is the copy of our report? Oh, it is under here. I have it. 

We have been pushing the data brokers to answer the same 
kinds of questions many Americans have been asking the govern- 
ment since the Snowden disclosures: What information are you col- 
lecting about us, and how are you using the information? 

Today’s hearing is the first time we are publicly discussing what 
we are learning in this investigation. The Commerce Committee 
staff has also prepared a report for me and for the Ranking Mem- 
ber on the progress of this investigation. It is thus. More to come. 

I ask unanimous consent to put a copy of this report in the 
record of this hearing. 

[The report follows:] 
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Executive Summary 

Consumers are conducting more and more of their daily business online and 
through their mobile devices. They use the Internet and their smart phones and tab- 
lets to make purchases, research medical conditions, plan vacations, interact with 
friends and relatives, do their jobs, map travel routes, and otherwise pursue their 
interests. With these activities, consumers are creating a voluminous and unprece- 
dented trail of data regarding who they are, where they live, and what they own. 

At the same time, the Internet and other technological advances have made con- 
sumer data easier to access, analyze, and share. Information that in years past was 
accessible only through a trip to the library or courthouse can now be readily avail- 
able to millions online, as computing capabilities for storing and reviewing informa- 
tion continue to grow at exponential rates. 

These changes have fueled the growth of a multi-billion dollar industry that large- 
ly operates hidden from consumer view. Today, a wide range of companies known 
as “data brokers” collect and maintain data on hundreds of millions of consumers, 
which they analyze, package, and sell generally without consumer permission or 
input. Since consumers generally do not directly interact with data brokers, they 
have no means of knowing the extent and nature of information that data brokers 
collect about them and share with others for their own financial gain. 

Data brokers collect and sell information for a variety of purposes including for 
fraud prevention, credit risk assessment, and marketing. Their customer base en- 
compasses virtually all major industry sectors in the country in addition to many 
individual small businesses. Some of the most well-known products sold by data bro- 
kers are credit reports that businesses use to make eligibility determinations for, 
among other things, credit, insurance, and employment — activities where consumers 
have detailed statutory consumer protections regarding the accuracy and sale of 
their information. 

This Committee Majority staff report focuses on data broker activities that are 
subject to far less statutory consumer protection: the collection and sale of consumer 
data specifically for marketing purposes. In this arena, data brokers operate with 
minimal transparency. 

One of the primary ways data brokers package and sell data is by putting con- 
sumers into categories or “buckets” that enable marketers — the customers of data 
brokers — to target potential and existing customers. Such practices in many cases 
may serve the beneficial purpose of providing consumers with products and services 
specific to their interests and needs. However, it can become a different story when 
buckets describing consumers using financial characteristics end up in the hands of 
predatory businesses seeking to identify vulnerable consumers, or when marketers 
use consumers’ data to engage in differential pricing. 

Further, the data breaches that have repeatedly occurred in this industry and 
with others in the data economy underscore the public’s need to understand the vol- 
ume and specificity of data consumer information held by data brokers. 

In light of these issues and the Chairman’s longstanding commitment to consumer 
protection and privacy matters, the Committee opened an inquiry last October to 
shine a light on how the data broker industry operates, with a specific focus on nine 
representative companies that sell consumer data for marketing purposes. The Com- 
mittee’s inquiry sought answers to four basic questions: 

• What data about consumers does the data broker industry collect? 

• How specific is this data? 

• How does the data broker industry obtain consumer data? 

• Who buys this data and how is it used? 

In response to the Committee’s inquiries, the companies queried provided docu- 
ments and narrative explanations. While some of the companies have been com- 
pletely responsive to this inquiry, several major data brokers to date have remained 
intent on keeping key aspects of their operations secret from both the Committee 
and the general public. 

Based on review of the company responses and other publicly available informa- 
tion, this Committee Majority staff report finds: 

(1) Data brokers collect a huge volume of detailed information on hundreds of mil- 
lions of consumers. Information data brokers collect includes consumers’ per- 
sonal characteristics and preferences as well as health and financial informa- 
tion. Beyond publicly available information such as home addresses and phone 
numbers, data brokers maintain data as specific as whether consumers view 
a high volume of YouTube videos, the type of car they drive, ailments they 
may have such as depression or diabetes, whether they are a hunter, what 
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types of pets they have; or whether they have purchased a particular shampoo 
product in the last six months; 

(2) Data brokers sell products that identify financially vulnerable consumers. 
Some of the respondent companies compile and sell consumer profiles that de- 
fine consumers in categories or “score” them, without consumer permission or 
knowledge of the underlying data. A number of these products focus on con- 
sumers’ financial vulnerability, carrying titles such as “Rural and Barely Mak- 
ing It,” “Ethnic Second-City Stragglers,” “Retiring on Empty: Singles,” “Tough 
Start: Young Single Parents,” and “Credit Crunched: City Families.” One com- 
pany reviewed sells a marketing tool that helps to “identify and more effec- 
tively market to under-banked consumers” that the company describes as indi- 
viduals including “widows” and “consumers with transitory lifestyles, such as 
military personnel” who annually spend millions on payday loans and other 
“non-traditional” financial products. The names, descriptions and characteriza- 
tions in such products likely appeal to companies that sell high-cost loans and 
other financially risky products to populations more likely to need quick cash, 
and the sale and use of these consumer profiles merits close review; 

(3) Data broker products provide information about consumer offline behavior to 
tailor online outreach by marketers. While historically, marketers used con- 
sumer data to locate consumers to send catalogs and other marketing pro- 
motions through the mail, or contact via telephone, increasingly the informa- 
tion data brokers sell marketers about consumers is provided digitally. Data 
brokers provide customers digital products that target online outreach to a 
consumer based on the dossier of offline data collected about the consumer; 

(4) Data brokers operate behind a veil of secrecy. Data brokers typically amass 
data without direct interaction with consumers, and a number of the queried 
brokers perpetuate this secrecy by contractually limiting customers from dis- 
closing their data sources. Three of the largest companies — ^Acxiom, Experian, 
and Epsilon — to date have been similarly secretive with the Committee with 
respect to their practices, refusing to identify the specific sources of their data 
or the customers who purchase it. Further, the respondent companies’ vol- 
untary policies vary widely regarding consumer access and correction rights 
regarding their own data — from virtually no rights to the more fulsome policy 
reflected in the new access and correction database developed by Acxiom. 

I. Background 

While there is no statutory definition for “data brokers,” the Federal Trade Com- 
mission (FTC) has defined this term to include “companies that collect information, 
including personal information about consumers, from a wide variety of sources for 
the purpose of reselling such information to their customers for various purposes, 
including verifying an individual’s identity, differentiating records, marketing prod- 
ucts, and preventing financial fraud.” ^ This report relies on the FTC definition of 
data broker, and focuses specifically on the collection and sale of consumer informa- 
tion for the purpose of marketing. 

The practice of collecting and selling consumer data to help businesses conduct 
marketing has existed for many decades. Long before the advent of the Internet, e- 
mail, or the mobile economy, data brokers developed expertise in compiling con- 
sumer data to facilitate targeted outreach to consumers through direct mail.^ To- 
ward that end companies have for many years assembled information about con- 
sumers from public records, surveys and sweepstakes entries, to develop consumer 
lists for use by marketers in targeting mailings and phone calls.^ 

What is new in recent years, however, is the tremendous increase in the volume 
and quality of digitally recorded data — and the technological advances that have fa- 


1 Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, at 68 
{Mar. 2012) (hereafter “FTC Privacy Report”). These companies may also be referred to as “in- 
formation resellers.” See Government Accountability Office, Information Resellers: Consumer 
Privacy Framework Needs to Reflect Changes in Technology and the Marketplace, GAO-13—663 
(Sept. 2013) (hereafter “GAO Information Resellers Report”). 

2 For example, after the introduction of zip codes in 1963, direct mail marketing companies 
used zip code data to make assumptions about individuals, such as the kinds of magazines they 
read, the foods they ate, and political affiliations. In 1974, social scientist Jonathan Robbin cre- 
ated PRIZM (Potential Rating Index for Zip Markets), which combined ZIP Codes with census 
data and consumer surveys to help target direct mail marketing. Michael J. Weiss, The Clus- 
tering of America (1988). 

3 Financial Times, Data Brokers Compile Lists to Map Your Life before you Reach the Cradle 
(June 13, 2013). 



8 


cilitated access to, storage, analysis, and sharing of this information.^ Information 
that was previously public but required a trip to places such as a library or court- 
house to retrieve can now be instantaneously accessible to millions when posted on 
the Internet. At the same time, consumers increasingly are expanding their digital 
data footprint as they go about their daily routines. 

For example, millions of consumers are now using computers, smart phones, and 
tablets to make purchases, plan trips, and research personal financial and health 
questions, among other activities.^ These digitally recorded decisions provide in- 
sights into the consumer’s habits, preferences, and financial and health status. A 
wide and ever-expanding variety of other routine activities also are becoming part 
of consumers’ digital trail — from viewing decisions regarding video streaming serv- 
ices® to online searches and mapping requests'^ to personal fitness monitoring 
through wearable devices® to stocking “smart” refrigerators that record food pur- 
chases and monitor expiration dates.® 

Amid this continuing growth in consumers’ digital records, there has been a “vast 
increase” in the number and types of companies that collect and sell consumer 
data.^® No comprehensive list of such companies currently exists, but estimates indi- 
cate the data broker industry consists of many hundreds of members. Media ac- 
counts and other reports in recent years have provided glimpses into some of the 
ways data brokers are obtaining, compiling, and sharing consumer data.^^ However, 
data broker activities have remained largely obscured from public view because 
these companies generally do not collect data directly from consumers and many of 
their practices lie outside the ambit of Federal consumer protection laws. 

A. GAO Review of Privacy Laws Applicable to Data Brokers 

In light of these changes regarding the availability and sale of consumer informa- 
tion, Chairman Rockefeller requested that the Government Accountability Office 
(GAO) review the privacy laws applicable to consumer information collected and sold 
for marketing purposes.^® In response, in September 2013, GAO released a report 
concluding that there is no one comprehensive privacy law governing information 
collection and sale of consumer data by private sector companies and that further, 
existing privacy laws have “limited scope” regarding the collection, use, and sale of 
consumer data for marketing purposes.^® 


Kenneth Cukier and Viktor Mayer-Schhoenberger, The Rise of Big Data: How It’s Chang- 
ing the Way We Think about the World, Foreign Affairs, at 28-40 (May/June 2013) (noting that 
while in 2000 “only one quarter of all the world’s stored information was digital” and “the rest 
was preserved on paper, film, and other analog media,” by 2013 “less than two percent of all 
stored information is non-digital”); Charles Duhigg, The Power of Habit: Why We Do What We 
Do in Life and Business, Chapter 7; Software & Information Industry Association, Data-Driven 
Innovation: A Guide for Policymakers — Understanding and Enabling the Economic and Social 
Value of Data, at 1—9 (2013); Organization for Economic Co-operation and Development, The 
Evolving Privacy Landscape: 30 Years After the OECD Privacy Guidelines, OECD Digital Econ- 
omy Papers, No. 176, at 16—18 (2011) (online at http:! j dx.doi.org ! 10.1787 1 5kgf09z90c31-en). 

^See Pew Internet & American Life Project, Broadband and Smartphone Adoption Demo- 
graphics (Aug. 27, 2013) (online at http: 1 1 www.pewinternet.org I Infographics 1 20 131 Broadband- 
and-smartphone-adoption.aspx) (“Today 56 percent of American adults own a smartphone or 
some kind, compared with 70 percent who have broadband at home”); Pew Internet & American 
Life Project, Cell Phone Activities 2012. 

® Salon.com, How Netflix is Turning Viewers into Puppets (Feb. 1, 2013). 

'^Time Magazine, Data Mining: How Companies Now Know Everything About You (Mar. 10, 
2011 ). 

® Entrepreneur, How Fitbit Is Cashing In on the High-Tech Fitness Trend (July 27, 2012). 

^NPR, The Salt, The ‘Smart Fridge’ Finds the Lost Lettuce, for A Price (May 4, 20l2). 

^°GAO Information Resellers Report, supra n.l, at 34. 

^^GAO Information Resellers Report, supra n.l, at 5 (noting: “Several privacy related organi- 
zations and websites maintain lists of data brokers — for example. Privacy Rights Clearinghouse 
lists more than 250 on its website — ^but none of these lists claim to be comprehensive. The Direct 
Marketing Association, which represents companies and nonprofits that use and support data- 
driven marketing, maintains a proprietary membership list, which it says numbers about 2,500 
organizations (although that includes retailers and others that typically would not be considered 
information resellers)”). 

'^‘^E.g., New York Times, You for Sale: Mapping, and Sharing, the Consumer Genome 
(June 16, 2012) (focusing on data broker Acxiom and reporting that the company maintains 
about 1,500 data points per consumer that include information on the size of home loans, house- 
hold incomes, or whether a household is concerned about certain health conditions). 

^^GAO Information Resellers Report, supra n. 1 at 1. To address these objectives, GAO ana- 
lyzed laws, studies and other documents, and interviewed representatives of Federal agencies, 
the date broker industries, consumer and privacy groups, and others. Id. 

14 GAO Information Resellers Report, supra n.l, at 7. 

i®GAO Information Resellers Report, supra n.l, at 16. 
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Specifically, GAO found that under current law, consumers have no Federal statu- 
tory right to know what information data brokers have compiled about them for 
marketing purposes, or even which data brokers hold any such information. Fur- 
ther, with the exception of information used for pre-screened offers of credit and in- 
surance, consumers generally do not have the right to control what personal infor- 
mation is collected, maintained, used, and shared about them — even where such in- 
formation concerns personal or sensitive matters about an individual’s physical and 
mental health. In addition, no Federal law provides consumers with the right to cor- 
rect inaccuracies in the data or assumptions made by data brokers on their own pro- 
files.17 

GAO does note that a “more narrowly tailored” set of laws concerning private sec- 
tor use of consumer information exists which “apply for specific purposes, in certain 
situations, to certain sectors, or to certain types of entities.” For example, the Fair 
Credit Reporting Act imposes a number of obligations on consumer reporting agen- 
cies (CRAs), which are entities that assemble consumer information into “consumer 
reports,” commonly referred to as credit reports, for use by issuers of credit and 
insurance, and by employers, landlords, and others in making eligibility decisions 
affecting consumers. The FCRA prohibits the sale of consumer reports for other 
than a permissible purpose. The FCRA does not allow the use of credit reports for 
marketing purposes, though marketing via pre-screened offers of credit and insur- 
ance is allowed, where it is a firm offer of credit and consumers are provided the 
opportunity to opt-out of such offers in the future.^® 

GAO also found that current Federal law does not fully address the use of new 
technologies, despite the fact that social media, web tracking, and mobile devices 
allow for faster, cheaper and more detailed data collection and sharing among re- 
sellers and private-sector entities.^^ 

Appendix I at the end of this report provides a detailed summary of the FCRA, 
and other existing Federal privacy laws and their applicability to the collection and 
dissemination of consumer data by data brokers. 

B. Voluntary Industry Guidelines 

The direct advertising and data broker industries have consistently asserted that 
Congress should defer to industry self-regulation rather than enacting broader con- 
sumer privacy legislation.^^ Industry members assert that their interest in avoiding 
reputational harm motivates them to engage in strong self-regulation and provides 
consumers with meaningful privacy protections.^® Privacy advocates, on the other 
hand, have argued that self-regulation does not adequately addresses concerns re- 
garding the potential for consumer abuse in this arena.®'' 

Industry trade associations that include data brokers have identified voluntary 
best practice guidelines for its members.®® For example, the Direct Marketing Asso- 
ciation (DMA) issued Guidelines for Ethical Business Practice that include prin- 
ciples of conduct, including recommendations on how members should handle and 
protect consumer information. Specifically, these guidelines provide that the mem- 
bers should offer notice of its policy “regarding the rental, sale, exchange or transfer 
of data about them” and the ability to opt-out of inclusion on a mailing list or other 


'®15 U.S.C. § 1681b(c). The Fair Credit Reporting Act provides consumers opt-out rights for 
such information. 15 U.S.C. § 1681h(e). 

'’'GAO Information Resellers Report, supra n.l, at 16—19. 

'®GAO Information Resellers Report, supra n.l, at 7. 

'®A “consumer report” means any written, oral, or other communication of any information 
hy a consumer reporting agency hearing on a consumer’s credit worthiness, credit standing, 
credit capacity, character, general reputation, personal characteristics, or mode of living which 
is used or expected to be used or collected in whole or in part for the purpose of making eligi- 
bility decisions. 15 U.S.C. § 1681a (d). 

2® 15 U.S.C. § 1681b (e). Pre-screened offers of credit or insurance — sometimes called “pre-ap- 
proved” offers — are sent to consumers unsolicited, usually by mail. They are based on informa- 
tion in consumers’ credit reports that indicates that the individuals receiving the offer meet the 
criteria set by the company making the offer. The FCRA limits the circumstances in which con- 
sumer reports can be used to make pre-screened offers, and provides that all such offers must 
include a notice of consumers’ right to stop receiving future pre-screened offers. 

2' GAO Information Resellers Report, supra n.l, at 19. 

22See, e.g., Senate Committee on Commerce, Science and 'Transportation, The Need for Pri- 
vacy Protections: Is Industry Self-Regulation Adequate, 112th Cong. (2012) (S. Hrg. 112-785). 
^^Id. 

^-^Id. 

25 Direct Marketing Association, Direct Marketing Association Guidelines for Ethical Business 
Practice (May 2011). 
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marketing methods,^® as well as specific ways to handle health information.^'^ A 
number of the companies that are the subject of the Committee’s inquiry are DMA 
members and have a^eed to abide by the association’s guidelines. 

In addition, the Digital Advertising Alliance, the trade association of the online 
advertising industry, has implemented Ad Choice, a program that allows consumers 
some control over their online information as it is used for online behavioral adver- 
tising.2® 

C. Privacy and Consumer Protection Issues Regarding Data Broker Practices 
Privacy and information experts have raised concerns regarding data broker prac- 
tices. These include issues relating to consumer privacy rights with respect to the 
use of their own personal information; the potential harmful ways consumer profiles 
can be used; the extent to which data broker products categorize consumers based 
on financial characteristics are serving as substitutes or supplements for the con- 
sumer report products that are more highly regulated; and the vulnerability of data 
broker computer systems to a data breach. 

Privacy Issues. One major issue raised by privacy advocates is that data brokers 
operate without transparency to consumers. Since data brokers generally collect in- 
formation without the consumers’ knowledge, consumers have limited means of 
knowing how the companies obtain their information, whether it’s accurate, and for 
what purposes they are using it.^® 

Privacy experts further point out that consumers currently lack control over the 
compilation and use of data that may contain intimate details about them. For ex- 
ample, the Financial Times reported one data broker is selling lists of addresses and 
names of consumers suffering from conditions including cancer, diabetes, and de- 
pression, and the medications used for those conditions; another is offering lists 
naming consumers, their credit scores, and specific health conditions.®® Citing these 
and other examples, FTC Commissioner Julie Brill recently raised the question: 
“What damage is done to our individual sense of privacy and autonomy in a society 
in which information about some of the most sensitive aspects of our lives is avail- 
able for analysts to examine without our knowledge or consent, and for anyone to 
buy if they are willing to pay the going price.” 

Data brokers argue that the creation and use of consumer profiles for marketing 
does not pose substantial privacy issues for consumers because this information can- 
not be used in decisions affecting a consumer’s eligibility for credit or insurance, or 
in employment or housing decisions. Rather, such profiling benefits consumers by 
facilitating targeted outreach about products and services that are relevant to con- 
sumers’ specific interests, needs, or preferences.®® 

However, an incident involving Target highlights how marketing based on con- 
sumer profiling may pose unintended privacy issues. According to a New York Times 
report. Target developed a pregnancy prediction model to enable the company to tar- 
get marketing of certain products to expectant mothers. In one case. Target sent 
maternity and baby clothes coupons to the household of a teenage girl who, through 
use of this model, they predicted was pregnant. These mailings alerted the girl’s fa- 
ther that she was pregnant — before she had told him the news herself.®® 

Potentially Harmful Uses of Data Broker Products. Some consumer advocates also 
have noted that targeted marketing means consumers have unequal access to help- 
ful information, offers, and benefits, and have questioned the fairness of this result 
when the basis for such targeting are consumer profiles constructed without the con- 
sumer’s knowledge, input, or permission — and that in fact may not be accurate. 
World Privacy Forum Executive Director Pam Dixon has elaborated as follows: 

Two people going to one website or one retail store could already be offered en- 
tirely different opportunities, services, or benefits based on their modern perma- 
nent record comprised of the previous demographic, behavioral, transactional, 
and associational information accrued about them.®'' 


26 W. at 18-19. 

Id. at 20 (Article #33: Collection, Use, and Transfer of Health-Related Data). 

26 See AdChoices website at http: ! / www.youradchoices.coml (accessed Dec. 13, 2013). 

26 See FTC Privacy Report, supra n.l, at 61-69. 

66 Financial Times, Companies Scramble for Consumer Data (June 12, 2013). 

61 Keynote Address by (Commissioner Julie Brill, Reclaim Your Name, 23rd Computers Free- 
dom and Privacy Conference (June 26, 2013). 

62 See GAO Information Resellers Report, supra n.l, at 40-41 (summarizing industry argu- 
ments on benefits of information sharing for consumers). 

66 Charles Duhigg, The Power of Habit, Chapter 7. 

64 Testimony of Pam Dixon, Executive Director, World Privacy Forum, House Committee on 
Energy and Commerce, Subcommittee on Communications, Technology, and the Internet 
(Nov. 19, 2009). See also Dwork & Mulligan, It’s Not Privacy, and It’s Not Fair, 66 
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A related issue is whether ready access to increasingly detailed consumer data 
lends to differential pricing. Indeed, several recent media accounts have described 
cases where website retailers offered consumers different prices for the same prod- 
uct based on analysis of customer characteristics. For example, a Wall Street Jour- 
nal report found that office supply retailers have varied prices displayed for the 
same product based on customers’geolocation and other factors.^® In another exam- 
ple the travel website Orbitz reportedly showed costlier travel options to visitors 
whose browsers indicated they were using Mac computers, because this brand was 
assumed to be used by more affluent consumers.®® While it does not appear from 
these news accounts that third party data broker products were involved with these 
particular examples, these reports underscore that targeting the most “relevant” in- 
formation to consumers does not always equate to providing consumers information 
about the best deals. 

A few recent cases also have highlighted the value of consumer profiles to preda- 
tory businesses seeking to target vulnerable consumers. In October of 2012, the FTC 
alleged that the credit reporting division of Equifax improperly sold more than 
17,000 “prescreened” lists of consumers who were late on their mortgage payments 
to Direct Lending Source, Inc. and its affiliate companies. Direct Lending subse- 
quently resold some of these lists to third parties, who “used the lists to pitch loan 
modification and debt relief services to people in financial distress,” including to 
companies that had been the subject of prior law enforcement investigations.®'^ 

In June 2011, Teletrack, Inc. paid a $1.8 million penalty to settle FTC charges 
that it sold lists of consumers who had previously applied for non-traditional credit 
products, including payday loans, to third parties — primarily pay day lenders and 
sub-prime auto lenders — that wanted to use the information to target potential cus- 
tomers. The FTC alleged that the information Teletrack sold constituted consumer 
reports and could not be sold for marketing.®® 

Similarly, the New York Times reported in 2007 that data broker InfoUSA had 
sold lists of consumers with titles such as “Suffering Seniors” to individuals who 
then used the lists to target elderly Americans with fraudulent sales pitches.®® 

Use of Predietive Seoring Products for Marketing. Consumer advocates have sug- 
gested that that use of scoring products that predict consumer behavior merits fur- 
ther scrutiny. Companies reportedly are using predictive scoring products for a 
range of purposes, such as assessing which customers will receive special offers, or 
looking at credit risks associated with certain mortgage applications — but con- 
sumers are generally not aware of these products and do not have access to the data 
underl 3 dng them. The FTC plans to hold a hearing in the Spring to examine the 
use of these products, including the types of consumer protections that should be 
provided.'^® 

Data Breaches. Finally, a series of incidents over recent years have underscored 
that data brokers — like others who collect and maintain sensitive consumer data — 


Stan.L.Rev.Online 35 (Sept. 3, 2013) (arguing that increasing use of consumer profiles by mar- 
keters and others could inadvertently result in social discrimination where unfair or inaccurate 
profiles are created and reinforced without consumers’ input). 

®®Wall Street Journal, Websites Vary Prices, Deals Based on Users’ Information (Dec. 24, 
2012 ). 

®®Wall Street Journal, On Orbitz, Mac Users Steered to Pricier Hotels (Aug. 23, 2012). 

The FTC charged Equifax with a host of FCRA violations, including that it provided credit 
report information to entities that lacked a permissible purpose. The FTC further charged that 
Equifax’s failure to employ appropriate measures to control access to sensitive consumer infor- 
mation was unfair, in violation of Section 5 of the FTC Act. Direct Lending was also charged 
with violating Section 5 and the FCRA for, among other reasons, obtaining pre-screened lists 
without having a permissible purpose and failing to maintain reasonable procedures to ensure 
that prospective users to whom it had resold the reports had a permissible purpose. Equifax 
and Direct Lending combined paid nearly $1.6 million to resolve charges that they violated the 
Fair Credit Reporting and the FTC Act. Press Release, FTC Settlements Require Equifax to For- 
feit Money Made by Allegedly Improperly Selling Information About Millions of Consumers Who 
Were Late on Their Mortgages, Federal Trade Commission (Oct. 10, 2012) (available at http:! ! 
www.ftc.gov ! news-events / press-releases ! 2012 110 Iftc-settlements-require-equifax-forfeit-money- 
made-allegedly). 

Press Release, Consumer Reporting Agency to Pay $1.8 Million for Fair Credit Reporting Act 
Violations, Federal Trade Commission (June 27, 2011) (available at http: I / www.ftc.gov I news- 
events I press-releases 1 2011 ! 06 lconsumer-reporting-agency-pay-18-million-fair-credit-reporting}. 

®® New York Times, Bilking the Elderly, with a Corporate Assist (May 20, 2007). 

Press Release, FTC to Host Spring Seminars on Emerging Consumer Privacy Issues, Federal 
Trade Commission (Dec. 2, 2013) (available at http: I lwww.ftc.gov I news-events ! press-releases I 
2013 ! 12! ftc-host-spring-seminars-emerging-consumer-privacy-issues). 
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are vulnerable to data breaches.'^i Privacy advocates emphasize the need to make 
sure appropriate protections against data breach are in place for consumer data.'^^ 

D. Recent FTC and Congressional Reviews of the Data Broker Industry 

Several recent inquiries have explored data broker practices and related privacy 
and consumer protection issues. The FTC has held a series of workshops, opened 
a formal inquiry, written reports, and proposed principles for industry self-regula- 
tion on how companies collect, use and protect consumer data. In March of 2012, 
the Commission released a comprehensive report on protecting consumer’s data pri- 
vacy in light of the rapid advances of technological change. The Commission rec- 
ommended that Congress consider enacting baseline privacy legislation across in- 
dustry sectors. The report also called for greater transparency in the data broker 
and advertising industries.’'^ 

The 2012 report identified the data broker industry as one of the Commission’s 
main focuses in implementing an enhanced privacy protection framework.’'’' In ex- 
amining the privacy implications of the data broker industry, the FTC has also 
noted how advances in technologies have rapidly allowed for the aggregating and 
selling of consumer information that combines data reflecting consumers’ online ac- 
tivities as well as “offline” information that has been accessible since before the 
Internet.’'® 

In December 2012, the FTC opened an inquiry pursuant to its authority under 
Section 6(b) of the FTC Act to examine privacy implications of the data broker in- 
dustry’s collection and use of consumer data.’'® This investigation is underway and 
will result in a study and recommendations on whether, and how, the data broker 
industry could improve its privacy practices.’''^ 

In addition to the FTC’s ongoing work, in the summer of 2012, a bipartisan group 
of eight lawmakers led by Reps. Ed Markey (D-MA) and Joe Barton (R-TX) opened 
an inquiry into how data brokers collect and use consumer’s personal data.’'® In No- 
vember 2012 the lawmakers concluded their inquiry, finding that, “Many questions 
about how these data brokers operate have been left unanswered, particularly how 
they analyze personal information to categorize and rate consumers.”"'® 

II. Committee Investigation 

In light of the gaps in public knowledge regarding data broker practices, in Octo- 
ber 2012 the Committee opened an inquiry into the data broker industry to help 
the Committee better understand industry practices and the information data bro- 
kers collect and share about American consumers for marketing purposes. To obtain 
a snapshot of industry practices, the Committee focused on nine companies that col- 
lect and sell consumer information: Acxiom, Experian, Epsilon, Reed Elsevier, 
Equifax, TransUnion, Rapleaf, Spokeo, and Datalogix. 

The companies include the three major credit reporting companies — Experian, 
Equifax, and TransUnion — each of which also sells consumer data for marketing 
purposes; and well-established targeted marketing companies — Acxiom, Epsilon, 
Reed Elsevier, and Datalogix — that maintain data on millions of consumers. In addi- 
tion, the sample reflects companies with discrete focus on major data collection tech- 
niques and marketing uses: Rapleaf, which in 2010 specialized in collecting public 
data from social media sites, and Spokeo, which offers individual consumer look-up 
services. 


""Wall Street Journal, Breach Brings Scrutiny (April 5, 2011); United States v. ChoicePoint, 
Inc., No. 1 06-CV— 0198 (N.D. Ga. filed Jan. 30, 2006); Press Release, Agency Announces Settle- 
ment of Separate Actions Against Retailer TJX, and Data Broker Reed Elsevier and Seisint for 
Failing to Provide Adequate Security of Consumer Data, Federal Trade Commission (Mar. 27, 
2008) (available at http: 1 1 www.ftc.gov t news-events ! press-releases ! 2008 103 1 agency-announces- 
settlement-separate-actions-against-retailer-tjx). 

42 FTC Privacy Report, supra n.l, at 24-26. 

43 FTC Privacy Report, supra n.l. 

44 FTC Privacy Report, supra n. 1, at 68, 72-73. 

45 FTC Privacy Report, supra n.l. 

’'® Press Release, FTC to Study Data Broker Industry’s Collection and Use of Consumer Data, 
Federal Trade Commission (Dec. 18, 2012) (available at http: ! I www.ftc.gov I news-events ! press- 
releases 12012 ! 12 ! ftc-study-data-broker-industrys-collection-use-consumer-data). Three of the 
nine companies the FTC is examining are included in this inquiry. 

^■’Id. 

’'®New York Times, Congress to Examine Data Sellers (July 24, 2012). 

AdWeek, Lawmakers Come Up Short in Data Brokers Probe (Nov. 8, 2012). 
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On October 9, 2012, Chairman Rockefeller sent letters to the nine data broker 
companies requesting information about each company’s data collection and use 
practices.®° The letters highlighted four basic questions: 

• What data about consumers does the industry collect? 

• How specific is the data the industry collects about consumers? 

• How does the industry obtain this data? 

• Who buys the data and how is it used? 

All nine companies provided narrative and documentary responses to the Com- 
mittee letter. Some of these companies were forthcoming regarding all questions. 
For example, Equifax’s response included a list of the specific entities that are data 
sources and customers they provided after clearing this disclosure with each entity. 
However, several large data brokers — ^Acxiom, Experian, and Epsilon — to date have 
refused to identify to the Committee their specific data sources. Instead, they have 
described general categories of sources — such as “surveys” and “public records.” 

One of the main consumer-facing data sources identified in the company re- 
sponses is websites. In an attempt to learn more about consumer information data 
brokers obtain from websites, on September 24, 2013, Chairman Rockefeller sent 
letters to twelve popular personal finance, health, and family-focused wehsites 
whose privacy policies allowed for sharing with third parties and that also indicate 
they collected consumer data through “surveys,” “sweepstakes,” and “question- 
naires,” which were identified hy data brokers to the Committee as sources of con- 
sumer information. The letters asked whether the websites shared information with 
third parties, and if so, with whom. 

On October 23, 2013, following press reports alleging that an Experian subsidiary 
sold data to an alleged identity theft operation,®^ Chairman Rockefeller sent a sec- 
ond letter to Experian requesting information about the incident and the company’s 
customer vetting practices, and pressing the company to provide the Committee a 
complete list of its data purchasers and sources.®^ Experian to date has not provided 
the Committee either its specific data sources or its data purchasers. 

In the course of the inquiry. Committee Majority staff reviewed thousands of 
pages of documents produced by respondent companies including narrative re- 
sponses, company manuals and training materials, contracts, and marketing mate- 
rials. 

III. Committee Majority Staff Findings Regarding Industry Practiees 

The responses received by the Committee during this inquiry provide a glimpse 
into the operations of a large and continually evolving industry. The nine data bro- 
kers queried by the Committee hold a vast and varied amount of consumer data. 
Acxiom alone has “multi-sourced insight into approximately 700 million consumers 
worldwide,” and Datalogix asserts its data “includes almost every U.S. house- 
hold.”®® Some of the companies maintain thousands of data points on individual 
consumers, with one providing the Committee a list of approximately 75,000 indi- 
vidual data elements that are in its system.®® Data collected by these companies in- 
cludes detailed and personal information including data on consumers’ health and 
financial status. 

One of the main types of products offered for sale by respondent data brokers are 
“modeled” profiles of consumers that categorize consumers, or that “score” likelihood 
for certain behaviors, based on inferences drawn from consumer data. The respond- 


Senate Committee on Commerce, Science, and Transportation, Rockefeller Seeks Information 
About Data Brokers’ Practices (Oct. 10, 2012). 

®^For example, one company noted “there are over 250,000 websites who state in their privacy 
policy that they share data with other companies for marketing and/or risk mitigation pur- 
poses.” Acxiom response to Chairman John D. Rockefeller IV (Mar. 26, 2013). 

Krebsecurity.com, Experian Sold Consumer Data to ID Theft Service (Oct. 20, 2013); 
PCMag.com, Experian Confirms Subsidiary’s Data Sold to Identity Theft Operation (Oct. 22, 
2013). 

Senate Committee on Commerce, Science, and Transportation, Rockefeller’s Latest Letter to 
Experian Requests Information on Reported Data Disclosures to Identity 'Theft Services (Oct. 24, 
2013). 

s^Acxiom Corp., 2013 10-K Annual Report for the Period Ending March 31, 2013 (filed 
May 29, 2013). 

http:! I wwiv.datalogix.com /about ! . The other companies queried by the Committee hold 
data on millions more. For example, Rapleaf claims to have at least one data point for over 80 
percent of U.S. consumer e-mail addresses, http:! j www.rapleaf.com j why -rapleaf j . 

Equifax Response to the Committee (Aug, 23, 2013) (EFX PROD6 000010-001361). Acxiom 
claims to have “over 3,000 propensities for nearly every U.S. consumer.” Acxiom Corporation 
(2013). Form lOK 2013. 
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ent companies offer for sale a number of modeled products that group consumers 
based on their degree of financial vulnerability, such as “Rural and Barely Making 
It,” or “Ethnic Second-City Stragglers.” The Committee has no evidence that any of 
the specific queried companies are currently selling such products for inappropriate 
purposes. However, the creation and use of these types of products merits close scru- 
tiny, particularly in light of their value to predatory businesses that seek to target 
consumers who are economically fragile.®'^ 

Data brokers continue to develop new approaches to facilitate marketing outreach 
to consumers online. Some data brokers now offer products that enable marketers 
to tailor online advertisements based on off-line data about the consumer provided 
by the data broker. 

As they conduct these various activities, data brokers remain largely invisible to 
the consumers whose information populates their databases. Consumers have lim- 
ited means of learning that these companies hold their data, and respondent compa- 
nies provide consumers rights of access and control regarding their data that vary 
widely by companies. Several of the largest respondent companies have been simi- 
larly secretive with the Committee, refusing to identify specific sources of their data, 
and specific customers who purchase it. And provisions in company contracts with 
customers perpetuate this secrecy by placing restrictions on customer disclosures re- 
garding data sources. 

Below is a detailed discussion of the Committee Majority Staffs findings regard- 
ing the information companies have provided to date regarding the collection, com- 
pilation, and sale of consumer data. 

A. Data Broker Collection of Consumer Data 

The information the Committee obtained in this inquiry regarding the nature and 
specificity of information collected by data brokers paints a picture consistent with 
the following observation offered by one of the respondent companies: “The amount 
of available data has created an unprecedented amount of information about con- 
sumers: Their attitudes and behaviors, perceptions about brands, what they’re buy- 
ing and even where they happen to be at the moment the data is captured.” 

1. Nature of Data Collected 

Much of the information data brokers collect is demographic, such as consumers’ 
names, addresses, telephone numbers, e-mail addresses, gender, age, marital status, 
presence of and ages of children in household, education level, profession, income 
level, political affiliation, and information about their homes and other property. In 
addition, data brokers collect many other categories of information about individ- 
uals. Some examples include: 

• Consumer purchase and transaetion information, including whether a purchase 
was made through a catalog, online, or in-store, as well as the frequency of such 
purchases;®® 

• Consumers’ available methods of payment, including type of credit card and 
bankcard issuance date;®® 

• Purehase of automobiles, including makes and models of cars purchased or 
whether a consumer prefers new or used cars;®'^ 

• Health conditions. One company collects data on whether consumers suffer from 
particular ailments, including Attention Deficit Hyperactivity Disorder, anxiety, 
depression, diabetes, high blood pressure, insomnia, and osteoporosis, among 
others;®^ another keeps data on the weights of individuals in a household.®® An 
additional company offers for sale lists of consumers under 44 different cat- 


See infra Section III.B.2fa) discussing consumer protection issues relating to such lists. 

Epsilon Targeting, Data Intelligence (EPS— COM-002026). 

®®Experian Narrative Response to Senate Commerce Committee (Dec. 14, 2013); Datalogix 
Narrative Response to Senate Commerce Committee (Nov. 16, 2013). 

Epsilon, TotalSource Plus Data Enhancement Element Listing (EPS— COM-5— 25); Acxiom, 
The Power of Insight: Consumer Data Products Catalog (ACXM 190); Lexis Nexis, MarketView 
Demographic Data Dictionary (REP001397-1403). 

Acxiom, The Power of Insight: Consumer Data Products Catalog (ACXM 173—226); Lexis 
Nexis, MarketView Demographic Data Dictionary (REP001397— 1403). 

Epsilon, TotalSource Plus Data Enhancement Element Listing (EPS-COM— 16). Epsilon has 
provided that it collects data about health ailments solely through its “Shoppers Voice” survey 
through which consumers “self-report” data, which is described in more detail in Section 
in.A.2.d. 

Acxiom, The Power of Insight: Consumer Data Products Catalog (ACXM 184). 
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egories of health conditions, including obesity, Parkinson’s disease. Multiple 
Sclerosis, Alzheimer’s disease, and cancer, among others;®’^ 

• Social media activity, including the number of a consumer’s friends and fol- 
lowers, and whether they view YouTube videos.®® 

The specificity of consumer data that brokers collect, maintain, and share varies 
depending on the entity. For example, TransUnion reported that it maintains and 
offers for sale primarily demographic data.®® On the other hand, Equifax maintains 
approximately 75,000 individual data elements for its use in creating marketing 
products, including information as specific as whether a consumer purchased a par- 
ticular soft drink or shampoo product in the last six months,®'^ uses leixatives or 
yeast infection products;®® OB/GYN doctor visits within the last 12 months,®® miles 
traveled in the last 4 weeks, and the number of whiskey drinks consumed in the 
past 30 days.'^i Some companies offer “data dictionaries” that include more than one 
thousand potential data elements, including whether the individual or household is 
a pet owner, smokes, has a propensity to purchase prescriptions through the mail,'^^ 
donates to charitable causes, is active military or a veteran, holds certain insurance 
products including burial insurance or juvenile life insurance, enjoys reading ro- 
mance novels, or is a hunter.'^® 

2. Sources of Consumer Data 

The information the responding companies provided to the Committee suggests 
that these data brokers primarily obtain consumer data through five major avenues: 
government records and other public data; purchase or license from other data col- 
lectors; cooperative agreements with other companies; self-report by consumers, 
often through surveys, questionnaires, and sweepstakes; and social media.'^^ 

Three companies — ^Acxiom, Experian, and Epsilon — declined to share specific data 
sources with the Committee, citing confidentiality clauses in their contracts, and 
concerns about putting themselves at a competitive disadvantage among the rea- 
sons. Instead, these companies provided general descriptions of the types of entities 
that are data sources. 

a. Government Records and Other Publicly Available Data 

Many companies reported obtaining information from public records sources. 
These include: census data; property records; court filings, including criminal convic- 
tions, judgments, liens, and bankruptcies; driver’s license records; voter registra- 
tions; telephone directories; real estate listings; and marriage and death certifi- 
cates.'^® Data brokers also obtain publicly available information from licensing fil- 
ings including licenses for physicians and other medical professionals, attorneys, ac- 
countants, engineers, notaries, and real estate professionals, as well as hunting. 


Experian, List Services Catalog (EXP002569). Experian provides its catalog, which contains 
more detail about element listings on its website (available at http:l I www.experian.com ! assets ! 
data-university I brochures I ems-list-services-catalog.pdf). 
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Narrative Response to Senate Commerce Committee at 7 (Mar. 1, 2013); and Acxiom, Acxiom 
Predictive Scores for Social Media (ACXM 473). 

®® Letter from TransUnion to Chairman John D. Rockefeller IV (Dec. 14, 2012). 

Equifax Response to Senate Commerce Committee (Aug, 23, 2013) (EFX PROD6 000010- 
001361). Equifax made clear in their response that the individual data elements are not sold 
as is, but are used to create their products and models. Individual-level data elements are aggre- 
gated for use in products sold to customers. Id. 

B»Id. 
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™Id. 
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Acxiom, The Power of Insight: Consumer Data Products Catalog (ACXM 173—226). 

Epsilon, TotalSource Plus Data Enhancement Element Listing (EPS— COM-5— 25). 

"^^In November 2013, the Attorney General of New Jersey settled a case that suggested web 
browsing activity is potentially an additional source of information for data brokers. The case 
alleged that Dataium, a data company, used software to track websites visited by consumers, 
a practice known as “history sniffing,” and then sold consumer preferences inferred from web 
browsing along with consumers’ names, phone numbers, and e-mail addresses to Acxiom. See 
Office of New Jersey Attorney General, Acting Attorney General Announces Settlement Resolving 
Allegations Data Company Engaged in Online “History Sniffing” (Nov. 21, 2013) (available at 
http: II nj.gov ! oag ! newsreleaseslS ! pr20131121a.html). 

"^^E.g., Acxiom Narrative Response to Senate Commerce Committee (Feb. 15, 2013). 
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fishing, and pilot licensesJ® License information can supply contact information and 
license issuance and expiration datesJ'^ 

b. Purchase or License 

Companies reported that several types of entities either sell or license them data, 
including: 

Retailers. Retailers provide data brokers with consumers’ purchase information, 
which can include consumer name, postal addresses, e-mail addresses, items 
purchased, transaction history, and whether the purchase was made in a store, 
online, or through a catalogJ® Often, the information provided does not identify 
the specific item purchased, but rather the category or type of product, such as 
“collectibles” or “ladies apparel.” Retailers are able to collect this information 
about consumers through many methods, among them store or brand loyalty/ 
rewards cards.^^ 

Financial institutions. Responding companies reported receiving information 
from a variety of financial institutions, such as banks, credit unions, brokerage 
services, and online trading platforms. Such sources provide information regard- 
ing bank deposits, brokerage assets, annuities, and mutual funds. Companies 
reported that the information obtained is not tied to specific consumers, but is 
received in an anonymized or aggregated form®® and used to create models and 
scoring products.®^ 

Other data brokers. All of the responding companies reported obtaining informa- 
tion from other data brokers either by purchasing or under sharing arrange- 
ments. Some have specified which other data brokers provide such information, 
while others refused to specify other data broker sources beyond generic de- 
scriptions such as “third-party partners.”®^ 

c. Cooperative Arrangements 

Another way data brokers obtain information is through cooperative arrange- 
ments in which companies provide information about their customers in exchange 
for information to enhance their existing customer lists or identify new customers. 
Examples described by responding companies include: 

• Epsilon operates a cooperative consisting of over 1,600 participating companies, 
which include catalog and retail companies, non-profits, and publishers.®® Par- 
ticipants contribute household purchase information in exchange for informa- 
tion about prospective customers. Epsilon organizes this data into 22 “primary 
purchase categories,” such as children’s apparel and merchandise. ®’‘ 

• Experian manages a database open to catalog sellers as well as brick and mor- 
tar and e-commerce retailers. Participants provide customer transactional 
records, which may include consumer’s name, address, gender, e-mail address, 
phone number, channel of purchase (e.g., online or in-store), dollar amount, pay- 
ment method, transaction date, and transaction product category.®® Experian 
summarizes the information to describe buying behaviors at the household level 
within general product categories — such as “Kitchen and Tabletop,” “Books,” or 
“Vitamins/Health Products.”®® For example, “if a high-end retailer of men’s 


™/d at 5. 
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'^®Datalogix Narrative Response to Senate Commerce Committee, at 1 (Nov. 2, 2012). 

Consumers who use loyalty cards allow retailers to collect information about their pur- 
chases in exchange for discounts, coupons, or other perks such as discounts on gasoline pur- 
chases. In 2012, Americans had a collective total of 2.65 billion loyalty program memberships. 
See Bulking Up: The 2013 Colloquy Loyalty Census, Growth and Trends in U.S. Loyalty Pro- 
gram Activity, Colloquy (June 2013). 

Financial institutions provide anonymous financial data, meaning it does not include con- 
sumers name, house number or street name; and information aggregated at the ZIP-t-4 level. 
Letters from Paul Zurawski, Senior Vice President Government Affairs and Regulatory Manage- 
ment, Equifax, to Chairman John D. Rockefeller IV (Feb. 13, 2013) and (Jan. 23, 2013). 

See Section III.B for a discussion of modeling and scoring. 

Experian Narrative Response to Senate Commerce Committee (May 24, 2013). 

Letter from Jeanette Fitzgerald, Senior Vice President and General Counsel, Epsilon, to 
Chairman John D. Rockefeller IV (Nov. 2, 2012); Epsilon, Abacus Cooperative Overview (EPS— 
COM-002114). 

Letter from Jeannette Fitzgerald, Senior Vice President and General Counsel, Epsilon, to 
Chairman John D. Rockefeller IV, at 5-6 (Nov. 2, 2012). 

Experian, Z-24 Catalog Database File Information (EXP001665). 

Experian Narrative Response to Senate Commerce Committee, at 5 (Dec. 14, 2012). 
Experian breaks purchase information into 64 different categories. Experian (EXP001667). 
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business suits reports a customer purchase of approximately $500, Experian 
would maintain a record showing only that the household engaged in a trans- 
action involving Men’s High-End Apparel.” 

• Equifax runs a cooperative for financial institutions that contribute data at 
least twice per year about consumer and small business investments and bank 
accounts. According to the company, this information is anonjnnized, often in- 
cluding only zip code and year of birth;®* it does not include information that 
could be used to individually identify consumers. Participants have access to 
certain information and products available only to members, including products 
that estimate total outstanding credit and that track assets.®® 

• Datalogix offers a cooperative arrangement that allows retailers to share infor- 
mation including customers’ names, mailing addresses, e-mail addresses, pur- 
chase transaction histories, and transaction channel, such as Internet, catalog, 
or retail purchase. In return for suppl 3 dng information, participants can receive 
mailing lists, or access to online audiences to identify new customers.®® 

d. Self-Reporting by Consumers 

The responses to the Committee’s inquiries indicate that data brokers obtain in- 
formation directly from consumers through warranty cards, sweepstakes entries, 
and other types of surveys. Some of the data brokers conduct their own marketing 
surveys, both on-and off-line, and shared examples with the Committee.®^ These 
surveys ask detailed questions about household demographics, income levels, shop- 
ping preferences, and other personal matters such as health and insurance related 
information. For example, some surveys ask whether anyone in the household suf- 
fers from diabetes, or what types of insurance the household currently has or plans 
to obtain.®® Surveys provided to the Committee disclose to consumers that the infor- 
mation they provide may be shared for marketing purposes in exchange for entry 
into a sweepstakes or other chances at prizes. However, the surveys do not gen- 
erally indicate that they are affiliated with a specific data broker. 

For example, Epsilon obtains consumer data through its “Shopper’s Voice” survey. 
The survey contains several pages of specific questions about the household, includ- 
ing demographic information, hobbies and interests, products purchased, and ail- 
ments. The survey includes questions about a range of health-related matters. For 
example, one category, titled “Heart Health,” asks whether anyone in the household 
has a family history of heart disease, heart attack, high hlood pressure or high cho- 
lesterol, whether anyone suffers from angina, atrial fibrillation, and whether these 
ailments are treated with a prescription.®® The survey also asks the respondent to 
indicate whether they personally or another member of the household suffer from 
other listed ailments, such as depression. Bipolar disorder or other major depressive 
disorder. Lupus, or Parkinson’s disease. ®'‘ The Shopper’s Voice survey is mailed to 
approximately 36 million households each January; approximately 5.2 million 
households complete and return it to Epsilon.®® Consumers are encouraged to re- 
spond to the survey by being offered an opportunity for savings via coupons and a 
chance to win $10,000.®® See Exhibit A for a complete example of the survey ques- 
tions. 

Experian collects data through the “Simmons National Consumer Surveys,” which 
over 30,000 consumers fill out each year.®^ Questions cover subjects including demo- 
graphic, hobbies and interests, military experience, participation in the lottery, and 


Experian Narrative Response to Senate Commerce Committee, at 5 (Dec. 14, 2012). 

Equifax, Member Data Submissions (EFX PRODS 0143). 

Letter from Paul Zurawski, Senior Vice President Government Affairs and Regulatory Man- 
agement, Equifax to Chairman John D. Rockefeller, at 3 (Feb. 13, 2013); Equifax Corporation, 
IXI Services Core Products for Network Members (EF^ PRODS 0191). 

Datalogix Narrative Responses to Senate Commerce Committee (Nov. 2, 2012) and (Nov. 16, 
2012 ). 

®^E.g. Experian Narrative Response to Senate Commerce Committee (Feb. 8, 2013); and Let- 
ter from Jeanette Fitzgerald, Senior Vice President and General Counsel, Epsilon, to Chairman 
John D. Rockefeller (Nov. 2, 2012). 

®2 Epsilon, Shopper’sVoice Consumer Product Survey of America (2012) (EPS— COM-000001— 
000004). 

os Id 2 

3“ Epsilon, Shopper’s Voice Survey (EPS-COM-003757). 

®® Epsilon, TargetSource Survey Data, at 3 (EPS— COM-003150). 

®® Epsilon, TargetSource Survey Data, at 5 (EPS— COM-003152). 

Experian, Simmons National Consumer Studies (online at http: I ! www.experian.com j sim- 
mons-research ! national-consumer-studies.html). 
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product preferences.^® Consumer responses are aggregated and used to create mod- 
els that assign a shared set of characteristics to all households within a particular 
zip code. Simmons surveys include the Simmons National Consumer Survey; the 
Simmons National Rids and Teens Studies; the National Hispanic Consumer Sur- 
vey; and the Simmons Lesbian, Gay, Bisexual and Transgender Study.®® Adults may 
be paid $25 for their participation in the survey and teens receive $14 in addition 
to a keychain. 1®® 

According to narrative responses from Acxiom and Experian, consumers report 
personal information to them by completing surveys, entering sweepstakes, reg- 
istering to receive coupons, or filling out other forms on Internet sites. The websites 
either directly feed this information to data brokers or provide it to other “data com- 
pilers” who then pass it to data brokers.^®'^ 

Experian uses survey results in products including Experian’s “BehaviorBank.” As 
Experian explained: 

BehaviorBank is a database of self-reported information provided by consumers 
with the clear understanding of the consumer that the responses will be used 
for marketing. . .Experian acquires all such information from third-party part- 
ners. Such third parties typically either recruit consumers for their own surveys 
or obtain data from companies that have surveyed their own customers. In some 
cases, consumers are offered an incentive, such as an opportunity to win a 
prize, for participation in the survey.^®^ 

Experian refused to identify to the Committee the third-party website sources of 
data for the company. 

Similarly, Acxiom said consumer-facing websites are a source of their consumer 
data, but declined to provide the Committee the specific identities of these websites 
except for six self-selected samples websites. Instead the company stated generally, 
“there are over 250,000 websites who state in their privacy policy that they share 
data with other companies for marketing and/or risk mitigation purposes.” i®® 

Of the six websites provided by Acxiom, one was not functional when Committee 
majority staff attempted to access it. The remaining five asked consumers for vary- 
ing levels of personal information in exchange for benefits such as coupons and dis- 
counts, or the opportunity to compare health insurance quotes. The general counsel 
for the company that maintains the health insurance quote website, when contacted 
by Committee majority staff, said the company had no information sharing agree- 
ment with Acxiom, and that the entities that contract to receive the website’s infor- 
mation are contractually prohibited from sharing that data with third parties such 
as Acxiom. 1®'' Acxiom represented that this website data source was provided by one 
of Acxiom’s data aggregators. i®® 

To explore the issue of website data sources further. Chairman Rockefeller 
queried 12 popular health and financial focused websites whose privacy policies ap- 
peared to allow for the sharing of consumer data obtained through surveys, sweep- 
stakes, and questionnaires. In response, several websites acknowledged collecting 
personal information from consumers through surveys or sweepstakes entries. How- 
ever, they largely denied sharing that data with third parties except in limited cir- 
cumstances, including for their own advertising purposes, sweepstakes prize fulfill- 
ment, or with other third-party vendors to perform services on the websites’ own 
behalf 

Two of the website companies reported relationships with Acxiom, but those rela- 
tionships were for the benefit of the websites: one retained Acxiom’s services to store 
consumer information solely for its own marketing efforts, and the other to perform 
services such as collecting additional information about visitors to its website. While 
neither arrangement allowed for Acxiom to share or use the data provided for 
Acxiom’s own purposes, one company did share with Committee majority staff that 
Acxiom had approached them to become a data supplier, a request it declined. '^®® 


Experian, Simmons National Consumer Survey (EXP001785-1923). 

®® Experian Narrative Response to Senate Commerce Committee (Feb. 8 2013). 

1®® Sample letters that accompany Simmons National Consumer Survey (EXP002099) and 
(EXP002100). 

Experian Narrative Responses to Senate Commerce Committee (May 24, 2013) (July 26, 
2013); and Acxiom Narrative Response to Senate Commerce Committee (Apr. 5, 2013). 

Experian Narrative Response to Senate Commerce Committee, at 2—3 (May 24, 2013). 

1®® Acxiom Narrative Response to Senate Commerce Committee (Apr. 5, 2013). 

1®'^ Committee staff interview with website general counsel (Dec. 3, 2013). 

1®® Acxiom Narrative Response to Senate Commerce Committee (April 5, 2013). It is unclear 
at this point whether or how information from this website flowed to Acxiom. 
i®6 Website responses to Senate Commerce Committee (Oct. 2013). 
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e. Social Media 

Social media is a source of consumer information for many of the queried data 
brokers. For example, Acxiom says it obtains data about consumers’ social media in- 
terests and usage to predict the likelihood that a consumer would fall into one of 
the following categories: “business fan,” “heavy social media user ” (including 
Facebook, Linkedin, Twitter, and YouTube), “mobile social networker,” “text mes- 
saging user,” “poster” (including poster of photos, texts, and responders), “video 
sharer,” “social influencer,” and “social influenced.” 

In 2010, the Wall Street Journal and other media outlets reported that Rapleaf 
was collecting information about consumers’ social media accounts and selling that 
information to other companies. Rapleaf had been “crawling” publicly available 
data consumers placed on social media sites such as Facebook, MySpace, Linkedin, 
and others, to gather information including consumers’ names, age, gender, location, 
colleges and universities attended, and occupations, information about membership 
on social media sites such as Facebook, Flickr, Linkedin, Twitter, CafeMom, Ama- 
zon Wishlist, Pandora, Photobucket, and Dailymotion, number of friends and fol- 
lowers, and the URL of consumers’ profiles. 

Following public backlash and requests by Facebook, Rapleaf deleted most of the 
information it collected through webcrawling.ii° However, companies that pur- 
chased this data before Rapleaf ceased this activity were not required to delete the 
information that they had previously purchased.^'^i 

B. Data Broker Products 

Data brokers compile and analyze consumer data to create products and services 
that provide customers with data that has varying degrees of specificity about indi- 
vidual consumers. Most of the products described by respondent companies are es- 
sentially lists of consumers grouped by shared characteristics or predicted behav- 
iors. The companies also provide data on individual consumers to supplement data 
customers may already have on the consumer. 

Data broker products can consist of “actual” or “modeled” elements. Actual data 
includes factual information about individuals, such as their date of birth, contact 
information, and presence of children in a household. “Modeled” data results from 
drawing inferences about consumer characteristics or predicted behavior based on 
actual data. For example, a company may infer a consumer’s marital status based 
upon use of the prefix “Mrs.”; characterize an individual as having an interest in 
golf based on the fact that an individual subscribes to a golf magazine; or char- 
acterize an individual as having a health interest in allergies based on the fact that 
the individual made a non-prescription purchase of over the counter allergy medica- 
tion, 

The companies also use actual data to create “look-a-like” models. Look-a-like 
models use known information — such as living within a particular zip code and hav- 
ing children in the household — to predict characteristics such as the likelihood that 
an individual drives an SUV. With this model, a data broker could create a list of 
consumers likely to drive an SUV that a customer could purchase for targeted mar- 
keting. 

Two prominent means by which data brokers provide consumer data to customers 
are “original lists” and “data appends.” Original lists are sold to customers seeking 
a list of consumers who fit certain criteria — for example, women who live in Cleve- 


Acxiom Narrative Response to Senate Commerce Committee at 7 (Mar. 1, 2013). Acxiom 
asserts that they “do not collect specific activity from social media sites, such as individual post- 
ings, lists of friends or any data that is not public.” (ACXM 1422). 

Wall Street Journal, Facebook in Privacy Breach (Oct. 18. 2010), and Wall Street Jour- 
nal, A Web Pioneer Profiles Users by Name (Oct. 25, 2010). 

Rapleaf, Report Data Dictionary, (RAP-SEN-001-00121-RAP-SEN-001-00125). 

Letter from Phil Davis, Chief Executive Officer, Rapleaf, to Chairman John D. Rockefeller 
IV (Nov. 21, 2012). According to Rapleaf, the information it maintained was non-sensitive data 
consisting of age range, gender, zip code, and marital status. Id. 

Letter from Kenneth M. Dreifach, Counsel to Rapleaf, to Melanie Tiano, Counsel to the 
Senate Commerce Committee (Dec. 28, 2012); Committee staff conversation with Rapleaf Coun- 
sel (Dec. 5, 2012). 

Acxiom Narrative Response to Senate Commerce Committee (Feb. 15, 2013). 
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land and have an interest in cooking. Typically, customers purchase this informa- 
tion in large quantities, hundreds or thousands of names at a time.'^i® 

“Data append,” on the other hand, occurs when a customer has some information 
about specific consumers, but they want to create more complete profiles. In that 
case, the customer provides some identifying information about their customers, 
such as a list of names and zip codes or e-mail addresses, to a data broker company 
to purchase additional information about the specific consumers on the list. 

The products companies described to the Committee include consumer profiles 
characterizing consumers based on degree of financial vulnerability and propensity 
to use payday loans and other non-traditional financial products. These types of 
data broker products merit close scrutiny as they appear tailor made for businesses 
that profit from taking advantage of consumers. Following is a discussion of major 
types of data broker products, methods for sharing these products, and questions 
raised by certain products described by respondent companies. 

1. How Data Brokers Package Consumer Information 

One product data brokers offer is “segments,” or groupings of consumers defined 
by shared characteristics and likely behaviors. Many data brokers offer some vari- 
ation of segmenting products, and several of the large data brokers included in the 
Committee’s review offer dozens of different segment choices. 

The idea of segmenting consumers for marketing purposes is not a novel concept. 
In the 1970s, Claritas — which merged with Nielsen in 2001 — developed a seg- 
menting product called PRIZM, which defined groups of consumers based on demo- 
graphics and behaviors. PRIZM is now advertised as “the industry-leading life- 
style segmentation system that yields rich and comprehensive consumer insights to 
help you reveal your customer’s preferences.” When clustering first began, com- 
panies generally relied on census data to predict the behavior of consumers. Today, 
however, there are endless avenues to obtain consumer data. 

Another type of product described by data brokers involves “scoring,” a form of 
analytics that utilizes data to make predictions about likely consumer behavior. 
Scoring products are designed to provide marketers insight about existing and pro- 
spective customers by assigning a number or range that signifies each consumer’s 
likelihood to exhibit certain characteristics or perform certain actions. For example, 
Acxiom offers a product that can provide marketers with predictive indicators of 
consumers’ social media behaviors, assigning a number from 1-20 on the basis of 
whether they are likely to be a “social influencer” or are “socially influenced,” and 
whether they are a frequent “text poster” or “business fan.” 

2. Issues Regarding Data Broker Products 

a. Products that Identify Financially Vulnerable Populations 

A number of products described by data brokers focus on characterizing a con- 
sumer’s economic status. For example, some of the consumer profiles they sell iden- 
tify economically comfortable consumers. Consumers in clusters titled “Established 
Elite,” “Power Couples,” “American Royalty,” and “Just Sailing Along,” indicate a 
level of affluence that might be used to identify a likely audience for luxury products 
or investments. Data broker descriptions of such products provide further detail. For 
example, Experian describes “American Royalty” as “[wlealthy, influential and suc- 
cessful couples and families living in prestigious suburbs.” 

Understanding the financial circumstances of consumers is important for assess- 
ing how to best the reach those most likely to purchase particular goods or products. 


Except in instances where a company offers some type of individual look-up product, “origi- 
nal list” information is not generally available to be purchased on an individual consumer basis. 
Spokeo, for example, offers consumers an individual look-up service that provides the ability to 
search for information about specific individuals. Products offered by Spokeo allow customers 
to search for people by name or address or through a “reverse search” service — where customers 
may enter a telephone number or e-mail address to identify the individual associated with that 
number or address. Customers are able to obtain a “person’s name, address, phone number, e- 
mail address, occupation, property value, family relations, and social media accounts.” Letter 
from Angela Saverice-Rohan, General Counsel, Spokeo, Inc., to Chairman John D. Rockefeller 
IV (Nov. 2, 2012). 

Committee staff conversations with respondent companies; several companies reported that 
segments are priced and sold by the thousand. 

iiewall Street Journal, Placing Products: Marketing Firm Slices U.S. into 240,000 Parts to 
Spur Clients’ Sales (Nov. 3, 1986). 

i^^Nielsen, My Best Segments (online at http:/ 1 www.claritas.com I MyBestSegments! De- 
fault. jsp?ID=70&pageName=Learn percent2BMore&menuOption=learnmore). 

Acxiom, Precision Targeting and Messaging in Social Networks: Acxiom Predictive Scores 
for Social Media (ACXM 473-474). 

Experian, Mosaic USA New Segment and Group Names fEXP002634— 002678). 
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However, some of the targeting products described by the companies appear to focus 
specifically on identifying financially vulnerable populations. The table below rep- 
resents a sample of the segments offered for sale by the queried companies: 

Table I: Company Product Names 


Sample List of Targeting Products Identifying 
Financially Vulnerable Populations 


"Burdened by Debt: 
Singles" 

"Mid-Life Strugglers: 
: Families" 

"Resilient Renters" 
"Very Spartan" 

"X-tra Needy" 

"Zero Mobility" 
"Hard Times" 
"Enduring 
I Hardships" 

"Humble 

Beginnings" 


"Struggling 
Elders: Singles" 

"Retiring on 
Empty: Singles" 

"Tough Start: 
Young Single 
Parents" 

"Living on 
Loans: Young 
Urban Single 
Parents" 

"Credit 

Crunched: City 
Families" 


"Meager Metro 
Means" 

"Relying on Aid: 
Rebred Singles" 
"Rough 

Rebrement: Small 
Town and Rural 
Seniors" 

"Financial 

Challenges" 

"Credit Reliant" 
"Rocky Road" 


"Very Elderly" 
"Rolling the Dice" 
"Fragile Families" 

"Small Town 
Shallow Pockets" 

"Ethnic Second- 
City Strugglers" 

"Rural and Barely 
Making It" 


Source: Company Responses 

The product descriptions that data brokers provide to potential customers further 
elaborate on such vulnerability. For example, “Hard Times” is described by 
Experian as, “Older, down-scale and ethnically-diverse singles typically concentrated 
in inner-city apartments.” The description continues: “This is the bottom of the 
socioeconomic ladder, the poorest lifestyle segment in the Nation. Hard Times are 
older singles in poor city neighborhoods. Nearly three-quarters of the adults are be- 
tween the ages of 50 and 75; this is an underclass of the working poor and destitute 
seniors without family support. . . . One-quarter of the households have at least one 
resident who is retired.” 

A number of scoring products similarly focus on consumers’ financial vulnerabili- 
ties. One example is Experian’s “ChoiceScore,” which the company asserts “helps 
marketers identify and more effectively market to under-banked consumers.” Ac- 
cording to the company’s marketing materials for this product, “each year, under- 
banked consumers alone spend nearly $11 billion on non-traditional financial trans- 
actions like payday loans and check-cashing services.” These consumers include 
“new legal immigrants, recent graduates, widows, those with a generation bias 


Experian, Mosaic USA New Segment and Group Names (EXP002634-2636); Acxiom, 
Personiex Classic, (Mar. 1, 2013); Epsilon, Niches 3.0 (EPS— COM-003484 — 003496); Equifax, 
Economic Cohorts: Economic-based Household Segmentation (EFX Prod4 0002-0292); Equifax, 
Financial Cohorts: Direct-Measured Asset-Based Household Segmentation (EFX PROD4 0293— 
0543). See Appendix II. 

121 See Exhibit B for sample product descriptions. 

122 Experian, Mosaic USA Segment Descriptors (EXP002946). 

122 Experian, Mosaic USA Segment Descriptors (EXP002947). In another example, “Resilient 
Renters” is described as “singles with high-school and vocational/technical educations. At a 
mean age of 39, they are renters in the second-tier cities and, if employed, earn wages in service 
and clerical positions.” Acxiom Narrative Response to Senate Commerce Committee, Acxiom 
Personiex Classic (Mar. 1, 2013). 

124 Experian, ChoiceScore: Improve Targeting and Customer Acquisition in the Untapped 
Under-hanked Population (EXP002353). See Exhibit C for ChoiceScore Marketing description. 
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against the use of credit, followers of religions that historically have discouraged 
credit,” and “consumers with transitory lifestyles, such as military personnel.” 

The ChoiceScore options include a “Confidence Score” that “identifies and assigns 
a score, determining the propensity for a consumer to he in the under-hanked popu- 
lation,” and a “Risk Score,” a “non-credit based score used to identify the most and 
least desirable consumers.” Suggested applications of the product include: “target 
under-marketed new prospect segments eager to accept direct-marketing offers; tar- 
get invitation-to-apply credit card offers, secured card, prepaid debit and other non- 
traditional financial service offerings; and suppress records of those less likely to get 
approved.” 

This Committee inquiry did not review whether any of the specific identified lists 
that designate financially vulnerable consumers have been used in a harmful man- 
ner. However, precedent underscores the value of such products to unscrupulous 
businesses that seek to take advantage of consumers. For example, the New York 
Times has reported on telemarketing criminals that succeeded in raiding the bank- 
ing account of a 92-year old Army veteran, Data broker InfoUSA sold his name 
and contact information to a scam artist. As detailed in the Times’ account, InfoUSA 
advertised lists such as “Elderly Opportunity Seekers,” described as older people 
“looking for ways to make money;” “Suffering Seniors,” older people with cancer or 
Alzheimers disease; and “Oldies but Goodies,” people described as “gullible . . . 
[who] want to believe their luck can change.” 

InfoUSA was not one of the companies examined in this Committee inquiry, but 
the concerns raised by lists identifying financially vulnerable customers are illus- 
trated by this example. The names, descriptions and characterizations in these prod- 
ucts — all generated by the data brokers — likely appeal to companies that sell high- 
cost loans and other financially risky products to populations more likely to need 
quick cash, such as payday and installment lenders. 

Most of the companies provided to the Committee customer vetting and oversight 
policies that they assert ensure that information is used properly, Further, sev- 
eral of the contracts reviewed by the Committee include provisions that prohibit re- 
sale of consumer data to certain types of businesses such as “debt repair” and 
one specifically prohibits resale for “payday or short-term lending.” However, be- 
cause data brokers operate in the shadows, with little oversight or regulation, com- 
panies in this industry have discretion regarding their voluntary enforcement of 
such restrictions. Indeed, an investigation into InfoUSA showed that employees rou- 
tinely ignored rules about selling data to known fraudsters, Unfortunately, three 
of the largest companies — ^Acxiom, Experian, and Epsilon — to date have declined to 
disclose their customers to the Committee. As a result, the precise range and nature 
of their customer base remains unknown. 

One recent incident involving Experian’s credit services arm underscored that cus- 
tomer vetting and oversight practices are not always failsafe. In October 2013, 
media accounts reported that an alleged identity theft operation had purchased con- 
sumer data from Court Ventures, a company Experian acquired in March 2012, and 
that sales of data to the operation went on “for almost a year after Experian did 
their due diligence” and purchased the company, Concerned about implications 
of these reports regarding Experian’s customer vetting processes. Chairman Rocke- 
feller wrote Experian asking the company to confirm whether such sales had oc- 
curred, how long such sales had continued after Experian had acquired Court Ven- 
tures, and Experian’s vetting of Court Ventures customers prior to and after acquisi- 
tion. He also pressed the company for a complete customer list.^^® 

Experian’s response acknowledged that a person possibly engaged in criminal ac- 
tivity had been a Court Ventures customer before and after Experian’s acquisition 


126 /d. 

121 Experian, List Services Catalog: ChoiceScore (EXP002601). 

^^Id. 

129 New York Times, Bilking the Elderly, with Corporate Assist (May 20, 2007). 

130 The procedures range from a very basic requirement that each new customer agree to 
Terms of Service to a thorough vetting process of each new customer. While several data brokers 
report that customers must agree to abide by the companies’ terms of service or use, other com- 
panies described a stricter vetting process that include additional screening components. Com- 
pany Narrative Responses to Senate Commerce Committee (2012). 

i6iAcxiom Narrative Response to Senate Commerce Committee (Feb. 15, 2013). 

162 Sample Equifax Contract (EFX SUPP 008). 

133 q’j^g New York Times, Bilking the Elderly, with Corporate Assist (May 20, 2007). 

i34Krebsecurity.com, Experian Sold Consumer Data to ID Theft Service (Oct. 20, 2013); 
PCMAG.com, Experian Confirms Subsidiary’s Data Sold to Identity Theft Operation (Oct. 22, 
2013). 

166 Letter from Chairman John D. Rockefeller to Mr. Don Robert, Chief Executive Officer, 
Experian (Oct. 23, 2013). 
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of the company, and underscored that Experian stopped sales to this customer im- 
mediately after notification by authorities that this customer was under investiga- 
tion. However, the company did not make clear how long the sales occurred unde- 
tected by Experian after acquisition of Court Ventures. The company further refused 
to provide specific customers to the Committee, 

Given that identifying vulnerable consumers is critical to the business of preda- 
tory lenders and fraudfeasors, and precedent where such entities have turned to 
data brokers for consumer data, the sale and use of data broker products seg- 
menting financially vulnerable consumers merits close scrutiny. 

b. Scoring Products that Mirror Tools Regulated under the Fair Credit Reporting 
Act 

Some of the scoring products the respondent companies sell for marketing pur- 
poses resemble credit scoring tools that, under the Fair Credit Reporting Act, cannot 
be used for marketing. In materials describing one such product, “Summarized 
Credit Statistics,” Experian emphasizes the distinction between the aggregated cred- 
it related information offered by the product and individual credit information, ex- 
plaining: “because individual credit information may not be used for marketing pur- 
poses without a pre-approved offer, Experian developed Summarized Credit Statis- 
tics to characterize a neighborhood’s consumer credit activity.” 

Similarly, Equifax offers “Aggregated FICO Scores,” which Equifax distinguishes 
from FICO scores which are generally prohibited for use in marketing under the 
Fair Credit Reporting Act. In its marketing materials for this product, the company 
states that “FICO Scores are no longer only for credit approvals: With aggregated 
FICO Scores, [customers] can leverage the basis of FICO scores for non-FCRA mar- 
keting applications such as prospecting and ITA [invitations to apply].” i®® The com- 
pany further explains that “for the first time, marketers now have access to an ag- 
gregated, non-FCRA measure derived from the FICO Score.^®® 

This Committee inquiry did not focus on FCRA compliance issues. However, 
the emergence of marketing products that closely resemble credit scoring tools un- 
derscores the need for additional review of key questions including: 

• whether there are privacy concerns surrounding the use of these tools 

• whether additional consumer protections should be provided, and 

• whether use of some of these scores might be considered eligibility determina- 
tions that should be scrutinized under the Fair Credit Reporting Act.'^’^i 

C. Data Broker Customers and New Mechanisms for Using Data Broker Products 

Responding data brokers told the Committee they sell their marketing products 
to a range of customers for a variety of types of marketing. These customers use 
data broker products for traditional mailing lists and increasingly to tailor outreach 
to individual consumer computers or mobile devices. Following is a discussion of the 
types of customers with whom data brokers share marketing products and what 
companies told the Committee about how their products are shared and used. 


1®® Letter from Tony Hadley, Senior Vice President of Government Affairs and Public Policy, 
Experian, to Chairman John D. Rockefeller IV (Nov. 8, 2013). 

Experian, Summarized Credit Statistics {EXP002109— EXP002110). This credit product in- 
cludes the following: 

• Median equivalency score — assesses the potential risk for seriously derogatory behavior. 
The scores range from 360 to 840 (high score equals low risk) to accommodate the industry 
standard use of credit scores, 

• Median risk score — similar to median equivalency score, this option also characterizes 
neighborhoods or market segments based on their likelihood of having future derogatory credit 
activity. This score range (0-1000) has a direct correlation, where a low score equals a low risk, 
and, 

• Median bankruptcy score — pinpoints neighborhoods or market segments that may be 
more likely to file for bankruptcy or become seriously delinquent over the next 12 months. This 
score is a leading indicator of potential derogatory impacts. Scores range from 108 to 1257, with 
a high score indicating great likelihood. Id. 

13® Equifax, Aggregated FICO Scores: Utilize Aggregated FICO for Marketing Applications 
(EFX PROD3 0258-0260). 

i®9 Equifax, Aggregated FICO Scores from IXI Services (EFX SUPP 168-169). 

Contracts that respondent data brokers provided the Committee make clear they require 
customers to comply with FCRA’s prohibition against using marketing information for eligibility 
determinations. 

^^^See discussion at part I.C regarding consumer protection issues relating to scoring prod- 
ucts. 
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1. Who Buys the Data 

The respondent companies told the Committee they sell consumer data to a wide 
range of customers. The types of customers included financial institutions, hotel 
chains, wireless telephone service providers, cable companies, and jewelry stores, as 
well as other data brokers or resellers. While, some companies provided identities 
of specific customers, others instead provided only general descriptions of the types 
of customers that purchase their data. For example, Acxiom’s customers include “47 
Fortune 100 clients; 12 of the top 15 credit card issuers; seven of the top 10 retail 
banks; eight of the top 10 telecom/media companies; seven of the top 10 retailers; 
11 of the top 14 automotive manufacturers; six of the top 10 brokerage firms; three 
of the top 10 pharmaceutical manufacturers; five of the top 10 life/health insurance 
providers; nine of the top 10 property and casualty insurers; eight of the top 10 lodg- 
ing companies; two of the top three gaming companies; three of the top five domestic 
airlines; six of the top 10 U.S. hotels.” 

Experian’s customers include “retailers, including online, storefront, and catalog 
sellers; consumer products manufacturers; charities and other nonprofit organiza- 
tions; advertising agencies; media placement agencies; government agencies; Inter- 
net service providers; Internet portals; businesses offering services, especially local 
businesses; direct mail service providers; real estate agents; local, state, and Federal 
politicians; and colleges and universities.” 

Epsilon provided a list of the industries associated with their customers, which 
includes “business to business, broker, consumer packaged goods, direct to con- 
sumer, emerging markets, finance, healthcare, high tech — telco, insurance, multi- 
channel marketers (catalog), not for profit, publishing, research, retail, strategic 
partners, tobacco, and travel and entertainment.” The company further elabo- 
rated on several of these categories, explaining that list brokers are “bujdng agents 
for companies that send direct mail,” that “research the types of available lists that 
a mailer could use for their offer.” Emerging markets are “a collection of types of 
clients that are new to using direct marketing to reach customers,” and strategic 
partners are “companies that license data as inputs for models they create and re- 
sell to other companies.” 

2. New Mechanisms for Using Data 

In their responses to the Committee, data brokers described client uses of their 
data in general terms such as fraud detection, identity authentication, and mar- 
keting. Specific customers named in some responses of tbe queried data brokers pro- 
vided Committee staff with additional detail regarding their use of data broker 
products. 

For example, one retail bank noted if it were seeking to determine ideal locations 
of new branches it may be interested in examining predicted borrowing and spend- 
ing behaviors of their existing customers. Such information also might help banks 
when they are setting goals based upon the likely needs of their clientele, such as 
whether one branch should give more loans while another should open more new 
accounts. 

Further, the data broker responses made clear that customers are using data 
broker products to reach consumers both through on-line and off-line outreach. 
While American consumers are beginning to understand, and even expect, that their 
online activities will be tracked in order to send them online advertisements, it 
is unclear whether they understand the extent to which data concerning their offline 
activities also may be collected and used to tailor online advertisements. 


ii^Acxiom, Fact Sheet: Consumer Insight Products (ACXM 458). Acxiom also provided several 
examples of specific publicly identified clients. E.g., Acxiom Response to Senate Commerce Com- 
mittee (Nov. 2, 2012). 

ii^Experian Narrative Response to Senate Commerce Committee, at 19 (Nov. 2, 2012). 

144 Letter from Lydia Fames, Counsel to Epsilon, to Erik Jones, Deputy General Counsel to 
the Senate Commerce Committee, at 10 (Feb. 13, 2013). 

445 Letter from Lydia Fames, Counsel to Epsilon, to Melanie Tiano, Counsel to Senate Com- 
merce Committee (July 24, 2013). An example is a company that specializes in in serving not- 
for-profit clients on fund-raising matters, which then uses marketing data furnished hy 
Experian to help their clients refine fund-raising mailing campaigns. Id. Epsilon also described 
to the Committee several examples of specific publicly identified clients. Epsilon Response to 
Senate Commerce Committee, (Feb. 13, 2013) (EPS-COM— 003612-003650). 

446 Committee staff telephone interview with retail bank purchaser of segmenting buckets 
(Nov. 21, 2013). 

444 Joseph Turow, The Daily You, at 185 (2011) (citing a 2005 survey that showed 80 percent 
of respondents “believed that ‘companies today have the ability to follow my activity across 
many sites on the web.”) 

448 See Appendix III for a sampling of some of the data elements one company reported offer- 
ing for online targeting. 
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Historically, data about consumers was used to locate consumers to send catalogs 
and other marketing promotions through the mail or contact via telephone. Increas- 
ingly, the information that data brokers make available about consumers — including 
demographic characteristics, financial information, and offline purchases and inter- 
ests — is provided to clients digitally such that it informs the client’s ability to target 
consumers online. 

The primary method for achieving online data sharing described by respondent 
companies is through the use of “cookies,” and other technical means, such as 
“cookie syncing,” or “cookie matching.” However, as Internet browser companies 
take steps to block cookie traffic, other technology to track consumers is developing 
rapidly, and some data broker companies appear to be finding new ways to follow 
consumers across different channels such as mobile devices. For example, in Sep- 
tember 2013, Acxiom announced its “Audience Operating System (AOS).” AOS will 
combine data from multiple sources and enable digital marketers to segment and 
target audiences across channels and devices and would eliminate the need for 
third-party cookies, the current technology used to track consumers across the Inter- 
net, 

Data brokers are increasingly focused on using their offline consumer profiles for 
the purposes of serving online advertisements. Acxiom, for example, currently offers 
approximately 47 percent of its 1,500 data elements to help marketers target con- 
sumers online by personalizing websites for individual consumers or serving adver- 
tisements, i®® Similarly, Equifeix offers many of its products digitally, including mod- 
eled FICO scores and the Ability to Pay Index.i®'' Experian’s Hitwise product en- 
ables marketers to obtain aggregate reports on the online behavior of their existing 
consumers by anonymously matching Experian offline marketing data with website 
traffic pattern analysis. '^®® 

Data brokers have asserted that digital products offer more privacy protections for 
consumers than traditional mail marketing because the data on consumers used in 
this context is not “personally identifiable” as that term is commonly understood. 
They point out that for marketing online, information about a consumer is often as- 
sociated with a code instead of the consumer’s name.^®® However, some privacy and 
information experts have expressed concerns that re-identification techniques may 


149 As Datalogix explained its digital product offerings: 

The DLX Digital Display Media product is a direct and natural evolution of Direct Mail prod- 
uct for the digital era, in virtually every way. In the traditional mail world, the data was and 
is used to deliver catalogues and marketing promotions through the mail channel to the per- 
sonal address of a family or individual. In the display business, the data is used to deliver an 
advertisement via a banner advertisement. If the consumer clicks on the advertisement, the con- 
sumer is taken to a company-sponsored website that provides detail about the product or service 
in an analogous way to a catalog. Websites have replaced or augmented catalogues as a pre- 
ferred method of consumer shopping in the last decade. 

Letter from Eric Roza, Chief Executive Officer, Datalogix, to Chairman John D. Rockefeller 
IV (Nov. 16, 2012). 

190 A cookie is a text file that a website’s server places on a consumer’s web browser. Cookies 
can be used to transmit information back to the website’s server about the browsing activities 
on the site as well as be used to track a computer across different sites. See Federal Trade Com- 
mission, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising (Feb. 
2009). 

191 Cookie syncing is the process of mapping user id’s from one system to another. See 
AdMonsters, Cookie Syncing (Apr. 20, 2010) (online at http:! I wwiv.admonsters.com ! blog ! cookie- 
synching). 

192 Gartner, Acxiom’s Audience Operating System Could Reinvent Data-Driven Marketing (Sep. 
26, 2013). 

199 Committee staff conversation with Jennifer Barrett Glasgow, Chief Privacy Officer, Acxiom 
(Dec. 10, 2013). 

194 For use online, the Ability to Pay Index assigns consumers a score from one to four. A score 
of one represents consumers with the highest likelihood of being able to pay. Equifax, Ability 
to Pay Digital (EFX SUPP 164); Equifax, Aggregated FICO Digital Targeting Segments (EFX 
PROD3 0294). 

195 Experian Narrative Response to Senate Commerce Committee, at 10—11 (Feb. 26, 2013). 
The marketing materials suggest that customers can identify and track consumer groups based 
upon a variety of elements, including visits to specific websites; online searches for specific 
terms; demographics, including age, income, gender, race, and ethnicity; summarized credit 
scores; presence of children; hobbies; ailments and prescriptions; and life events, such as new 
parents, movers, or new homeowners. Experian, AudienceView (EXP002472-2473). 

199 Letter from Eric Roza, Chief Executive Officer, Datalogix, to Chairman John D. Rockefeller 
IV (Nov. 16, 2013). 
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be used with such data,” and questioned whether data that identifies specific 
computers and devices can truly be considered “anonymous.” As marketing scholar 
Joseph Turow wrote: 

Industry claims of anonymity surrounding all these data may soften the impact 
of the sorting and labeling processes. But in doing so, it seriously undermines 
the traditional meaning of the word. If a company can follow and interact with 
you in the digital environment — and that potentially includes the mobile phone 
and your television set — its claim that you are anonymous is meaningless, par- 
ticularly when firms intermittently add offline information to the online data 
and then simply strip the name and address to make it “anonymous.” i®® 

D. Data Broker Transparency and Privacy Practices 

Data brokers generally are not consumer facing, therefore, most consumers have 
no way of knowing that data brokers may be collecting their data. Further, a num- 
ber of companies have contracts with their customers that limit customer disclo- 
sures regarding their data sources. And since consumers generally do not have Fed- 
eral statutory rights of access, correction, or control with respect to the information 
data brokers maintain on them for marketing, companies can establish privacy pro- 
tections for this data largely at their own discretion. 

Industry representatives continue to support self-regulation as the best approach 
for protecting the privacy of consumer data used for marketing, and many of the 
data broker responses to the Committee highlighted the importance of self-regula- 
tion. In fact, Acxiom cited a company philosophy — “just because you can doesn’t 
mean you should” i®® — as a guiding principle for how to handle the mass quantities 
of consumer data available to them. 

Most company responses indicated they have incorporated many of the best prac- 
tices set forth in the Guidelines for Ethical Business Practices issued in 2009 by the 
Direct Marketing Association. These guidelines provide “generally accepted prin- 
ciples of conduct” for “database compilers” that cover subjects including consumer 
choice and privacy notices, handling sensitive and specifically health-related infor- 
mation, oversight of customer data use, and information security. The guidelines 
also provide for a consumer right to opt out of the marketing process but do not 
provide for consumer access and correction rights with respect to their own data.'^®^ 

This section discusses respondent company practices relevant to transparency and 
privacy. 

1. Disclosure Limitations 

Although DMA Guidelines recommend that members “not prohibit an end-user 
marketer from divulging the database compiler as the source of the marketer’s infor- 
mation,” 1®® a number of the companies have contracts with customers that place 
restrictions on customer disclosure of their data source. For example, one company’s 
contract language provides: “All marketing communications used in connection with 
any list or data element provided to client shall ... be devoid of any reference to 
. . . the source of the recipient’s name and address.” ^®® Similarly, another com- 
pany’s contracts provide that the company “may not be advertised, or otherwise dis- 
closed to any third party, as the source of the Licensed Data unless Client first ob- 
tains the express, written permission” of the company.” 

The contracts reviewed by the Committee do, however, provide exceptions to such 
restrictions where a consumer makes a direct inquiry to the data broker’s cus- 
tomer, i®® 

2. Consumer Access and Control Rights 

The respondent data brokers varied widely with respect to access and correction 
rights. For example, Experian and Equifeix provide consumers no right to view their 
own data or correct it. Rapleaf provides consumers access to their data, and allows 


How Anonymous Is Your Data? So, Should You Be Worried That We’re on a Fast Track 
to Mass Privacy Invasions?, Advertising Age (Mar. 18, 2013) (discussing the re-identification of 
online data that has been anonymized). 

1®® Joseph Turow, The Daily You, supra n. 146, at 190; see also Paul Ohm, Broken Promises 
of Privacy, 57 UCLA Law Review 1701, 1704 (2010) (“Data can either be useful or perfectly 
anonymous, but never both.”). 

1®® Acxiom Narrative Response to Senate Commerce Committee, at 3 (Apr, 15, 2013). 

160 For discussion of these guidelines see Part LB. 

i®iDMA Guidelines, supra n.25. Article 31. 

162 F)MA Guidelines, supra n.25, Article 36. 

1®® Sample contract provided to the Senate Commerce Committee. 

Sample contract provided to the Senate Commerce Committee. 

i®®i).g., Sample Contract provided to the Senate Commerce Committee. 
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them to correct data that Rapleaf originates, but the company does not provide cor- 
rection rights to data originating from others. 

Equifax states that a large percentage of the products it offers are aggregated or 
modeled scores that are then attributed to every household or individual sharing a 
particular ZIP-h 4 Code. Equifeix asserts that because the consumer data obtained is 
de-identified and therefore not about a particular consumer, Equifax does not pro- 
vide an opportunity for consumer notice, access, or correction, Similarly, Experian 
does not provide consumers the ability to access or correct the data maintained be- 
cause the company “does not maintain sufficient personal information to allow ade- 
quate authentication of an individual who requests access,” and much of the in- 
formation is modeled or inferred or provides general information, such as income 
ranges, rather than details, such as exact income, making correction rights unneces- 
sary, i®® 

Acxiom in September 2013 unveiled a new website — Aboutthedata.com — that al- 
lows consumers to see and correct certain information that Acxiom has collected 
about them. In order to access information, consumers must enter their full name, 
address, date of birth, last four digits of their social security number, and e-mail 
address. Once a consumer’s information has been authenticated, the consumer can 
view, and correct or delete broad categories of what Acxiom calls “core” data. 

while the new Acxiom database marks a step forward in promoting transparency, 
it does not provide consumers a complete view of the data the company holds on 
consumers for marketing purposes. First, consumers do not have access to data to 
which Acxiom has applied analytics. For example, a consumer could see data points 
showing their occupation and that they have children, but if Acxiom inferred from 
those two data points that the consumer is a “working parent,” the consumer would 
not have access to that inferred element. Second, the database includes only those 
data points that are currently incorporated into Acxiom’s digital — as opposed to off- 
line — products. According to Acxiom representatives, as of early December, about 47 
percent of Acxiom’s offline data was included in the digital products, and the com- 
pany is aiming to have complete overlap of the two data sets within a few years. i®® 

3. Opt-Out Rights 

Several companies reported that they provide an avenue for consumers to opt out 
of having their information shared for marketing purposes. The companies that pro- 
vide these options typically give notice to consumers of this option via their privacy 
policies and company websites. They can also entirely opt out of having any of their 
data collected. 

Acxiom’s policy is to permanently delete the records of consumers who choose to 
opt out. However, a number of other respondent companies provide that, when a 
consumer opts out of having their information shared, the companies do not delete 
the consumer’s information. Rather, as Epsilon describes: 

When a consumer opts-out with Epsilon, Epsilon marks the consumer’s informa- 
tion as “Do Not Share,” rather than deleting the information. Epsilon does this 
to preserve the consumer’s preference; if the consumer’s information is deleted, 
in the future. Epsilon would have no way to know that the consumer requested 
that their information not be shared. When a consumer is marked as “Do Not 
Share,” Epsilon will know that the consumer did not want their information 
shared in case the consumer’s information is later resubmitted. Epsilon adheres 
to this policy to ensure that consumers’ opt-out requests are persistent and hon- 
ored, 

Similarly, when a consumer requests that Experian suppress the use of their in- 
formation for marketing purposes, “Experian does not completely eliminate data in 
response to a suppression request. [Experian] must continue to internally maintain 


1®® Response Letter from Robert W. Kamerschen, U.S. Chief Counsel and Senior Vice Presi- 
dent, Equifax to Chairman John D. Rockefeller IV, at 5 (Nov. 2, 2012). 

1®^ Experian Narrative Response to Senate Commerce Committee, at 16 (Nov. 2, 2013). 
i®8/d. 

i®®See Section III.C.2. According to documents provided to the Committee, as of June 2012, 
Acxiom had 160 elements available in the digital products. The 160 elements include some mod- 
eled data that would not he available for access and correction. This is out of Acxiom’s over 
1,500 data elements currently listed as available in their data catalog. Acxiom Narrative Re- 
sponse to Senate Commerce Committee (Mar. 1, 2013). Conversations with Acxiom suggest that 
this number may now be as high as 47 percent of the available 1,500 data elements. Committee 
staff conversation with Jennifer Barrett Glasgow, Chief Privacy Officer, Acxiom (Dec. 10, 2013). 
i™Epsilon Narrative Response to Senate Commerce Committee (Nov. 2, 2012). 
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a record pertaining to the suppressed household in order to properly manage con- 
sumer records, such as the consumer’s choice for suppression.” 

It is worth noting that since consumers are often not aware that data brokers 
hold their information, it is not clear how they would be aware that they have opt- 
out rights, or how to exercise them. 

rV. Conclusion 

The responses the Committee received in its inquiry into the data broker industry 
provide a snapshot of how data brokers collect, use, and share consumer data for 
marketing purposes. This information makes clear that consumers going about their 
daily activities — from making purchases online and at brick-and-mortar stores, to 
using social media, to answering surveys to obtain coupons or prizes, to filing for 
a professional license — should expect that they are generating data that may well 
end up in the hands of data brokers. They should expect that this data may well 
be amassed with many other details about them data brokers already have com- 
piled. And they should expect that data brokers will draw on this data without their 
permission to construct detailed profiles on them reflecting judgments about their 
characteristics and predicted behaviors. 

The responses also underscore that consumers have minimal means of learning — 
or providing input — about how data brokers collect, analyze, and sell their informa- 
tion. The wide variety of consumer access and control policies provided by the rep- 
resentative companies show that consumer rights in this arena are offered virtually 
entirely at the companies’ discretion. The contractual limitations imposed by compa- 
nies regarding customer disclosures of their data sources place additional barriers 
to consumer transparency. And the refusal by several major data broker companies 
to provide the Committee complete responses regarding data sources and customers 
only reinforces the aura of secrecy surrounding the industry. 

This Committee inquiry has been conducted at a time when sources of consumer 
data and technological capabilities for storage and speedy analysis of data continue 
to expand. As data brokers are creating increasingly detailed dossiers on millions 
of consumers, it is important for policymakers to continue vigorous oversight to as- 
sess the potential harms and benefits of evolving industry practices and to make 
sure appropriate consumer protections are in place. 


Appendix I 

Federal Laws That May Be Applicable To Information Collected 
By Data Brokers 

In its September 2013 Information Resellers Report, GAO found that no single 
comprehensive Federal privacy law governs the collection, use, and sale of personal 
information maintained and sold by data brokers. ^ Instead, a “more narrowly tai- 
lored” set of laws concerning private sector use of consumer information exists 
which “apply for specific purposes, in certain situations, to certain sectors, or to cer- 
tain types of entities.”^ The Fair Credit Reporting Act (FCRA), the Gramm-Leach- 
Bliley Act (GLBA), Section 5 of the Federal Trade Commission Act (FTC Act), and 
to some extent the Health Insurance Portability and Accountability Act of 1996 
(HIPAA), and the Children’s Online Privacy Protection Act (COPPA) are the pri- 
mary laws that govern the collection and use of consumer information. A brief sum- 
mary of the applicable portions of each of these laws follows below. 

I. Fair Credit Reporting Act 

The Fair Credit Reporting Act (FCRA)^ imposes a number of obligations on con- 
sumer reporting agencies (CRAs), which are entities that assemble consumer infor- 
mation into “consumer reports” for use by issuers of credit and insurance, and by 
employers, landlords, and others in making eligibility decisions affecting con- 
sumers.^ Whether the obligations and protections of the FCRA apply to consumer 
data depends largely on the purpose for which the information is collected, and the 
intended and actual use of the information, rather than the origin or nature of the 


I'^iExperian Narrative Response to Senate Commerce Committee, at 16 (Nov. 2, 2012). 

1 Government Accountability Office, Information Resellers: Consumer Privacy Framework 
Needs to Reflect Changes in Technology and the Marketplace, GAO-13—663 (Sept. 2013) (here- 
after “GAO Information Reseller Report”). 

^Id.. 

3 Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970) (codified as amended at 15 U.S.C. 
§§ 1681-1681X). 

“15 U.S.C. § 1681a. 
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information itself. The FCRA does not apply to the collection and use of information 
for the purpose of marketing, except it allows marketing of pre-screened offers of 
credit and insurance where consumers are provided the opportunity to opt out of 
future such offers.® 

The FCRA requires that CRAs make reasonable efforts to assure the “maximum 
possible accuracy”® of the information they provide to data users, and further re- 
quires they maintain procedures through which consumers can dispute and correct 
inaccurate information in their consumer reports.'^ CRAs also must take reasonable 
measures to ensure that they provide credit reports only to those entities that have 
a statutorily-specified “permissible purpose” to receive them.® The FTC has recently 
taken actions against a number of companies for allegedly violating the FCRA.® 

II. Gramm Leach Bliley Act 

The Gramm Leach Bliley Act (GLBA) i®, also known as the Financial Services 
Modernization Act of 1999, imposes privacy and security obligations on nonpublic 
personal information that consumers provide to “financial institutions,” which 
GLBA defines as businesses that are engaged in “financial activities,” including tra- 
ditional banking, lending, and insurance functions, as well as other activities such 
as providing investment advice, brokering loans, credit reporting, and real estate 
settlement services. Financial institutions subject to GLBA must comply with two 
key provisions of the Act — the “Financial Privacy Rule,” and “Safeguards Rule.” The 
Financial Privacy Rule governs the collection and disclosure of consumers’ personal 
information. The “Safeguards Rule,” requires that financial institutions design, 
implement and maintain safeguards to protect consumers’ nonpublic information.!® 

The GLBA Privacy Rule generally prohibits covered financial institutions from 
disclosing nonpublic personal information about consumers to non-affiliated third 
parties without first providing consumers with notice and the opportunity to opt out 
of the disclosure, i"! However, the GLBA provides a number of statutory exceptions 
under which disclosure is permitted without specific notice to the consumer, includ- 
ing consumer reporting (pursuant to the FCRA), fraud prevention, law enforcement 
and regulatory or self-regulatory purposes, compliance with judicial process, and 
public safety investigations.!® 

Entities that receive information under an exception to the GLBA are subject to 
reuse and re-disclosure restrictions, even if those entities are not themselves finan- 
cial institutions.!® In particular, the recipients may only use and disclose the infor- 
mation “in the ordinary course of business to carry out the activity covered by the 
exception under which . . . the information [was received].”!!" Thus, for example, 
if a data broker obtains “credit header information” — which includes a consumer’s 
name, address, and social security number — from a financial institution pursuant to 


® 15 U.S.C. § 1681b(e). Pre-screened offers of credit or insurance — sometimes called “pre-ap- 
proved” offers — are sent to consumers unsolicited, usually by mail. They are based on informa- 
tion in consumers’ credit reports that indicates that the individuals receiving the offer meet the 
criteria set by the company making the offer. The FCRA limits the circumstances in which con- 
sumer reports can be used to make pre-screened offers, and provides that all such offers must 
include a notice of consumers’ right to stop receiving future pre-screened offers. 

6 15 U.S.C. § 1681e(b). 

15 U.S.C. § 1681i(a)-(d) 

® 15 U.S.C. § 1681b(a), (c). Permissible purposes under the FCRA include, but are not limited 
to, the use of a consumer report in connection with a determination of eligibility for credit, in- 
surance, or a license; in connection with the review of an existing account; and for certain em- 
ployment purposes. Other typical uses that are subject to FCRA protections include tenant 
screening, and check cashing services. 

®See, e.g., Press Release, ‘‘Certegy Check Services to Pay $3.5 Million for Alleged Violations 
of the Fair Credit Reporting Act and Furnisher Rule,” Federal Trade Commission (Aug. 15, 2013) 
(available at www.ftc.gov / news-events I press-releases / 2013 1 08 1 certegy-check-services-pay-35-mil- 
lion-alleged-violations-fair); Press Release “Marketers of Criminal Background Screening Reports 
To Settle FTC Charges They Violated Fair Credit Reporting Act” Federal Trade Commission, 
(Jan. 10, 2013) (available at www.ftc.gov t news-events ! press-releases 12013 ! 01 ! marketers-crimi- 
nal-background-screening-reportsto-settle-ftc); Press Release , to Pay $800,000 to Settle 
FTC Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation 
of FCRA,” Federal Trade Commission, (June 7, 2012) (available at www.ftc.gov ! news-events ! 
press-releases 1 2012 ! 06 ! spokeo-pay-800000-settle-ftc-charges-company-allegedly-marketed). 

!®Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 
12 and 15 U.S.C.). 

i!15 U.S.C. §6809(3)(A). 

12 15 U.S.C. § 6801(a). 

13 15 U.S.C. § 6801(b). 

“15 U.S.C. § 6802(b). 

“15 U.S.C. § 6802(e). 

“16 C.F.R. Part 313. 

i’'16 C.F.R. Part 313.11(a). 
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the GLBA exception “to protect against or prevent actual or potential fraud,” then 
that data broker may not reuse and re-disclose that information for marketing pur- 
poses. 

III. Federal Trade Commission Act 

Section 5 of the Federal Trade Commission (FTC) Act provides the Commission 
with broad jurisdiction to regulate unfair or deceptive practices in competition and 
consumer protection, Section 5 forms the basis of the FTC’s substantial body of 
law that covers advertising, marketing, certain financial practices, and privacy, 
among other areas. In the privacy space, section 5 applies to both deceptions and 
violations of written privacy policies and statements made to consumers about how 
they will safeguard or use consumer information, The Commission’s Section 5 au- 
thority extends to the sale of data for marketing purposes.^® 

rV. Health Insurance Portability and Accountability Act 

The Health Insurance Portability and Accountability Act (HIPAAj^i protects cer- 
tain personal health information from use and disclosure. HIPAA applies to individ- 
ually identifiable health information held by “covered entities,” which include 
health insurers, health care providers — if they transmit any information in an elec- 
tronic form for certain covered transactions — and health care clearinghouses, as well 
as their vendors, subcontractors, and business associates.^® The HIPPA Privacy 
Rule governs the use and disclosure of personal health information and, with some 
exceptions, requires an individual’s written authorization prior to using consumers’ 
protected health information for marketing and sale.®’' However, HIPPA affords fair- 
ly narrow protections and its restrictions on sharing do not apply to health informa- 
tion held by non-covered entities, including data brokers. 

V. Cbildren’s Online Privacy Protection Act 

The Children’s Online Privacy Protection Act®® (COPPA) applies to the online col- 
lection and use of personal information from children under age 13. Websites and 
online services, including mobile apps, covered by COPPA are required to post pri- 
vacy policies, provide parents with direct notice of their information practices, and 
get verifiable consent from a parent or guardian before collecting personal informa- 
tion from children. Personal information is defined as information that would allow 
someone to identify or contact a child. It includes, among other things, name, phys- 
ical or e-mail address, geolocation, and “persistent identifier” which can be used to 


'®15 U.S.C. §45. Banks, savings and loans, credit unions, common carriers, and air carriers 
are exempt from the FTC’s Section 5 jurisdiction. 

e.g, Press Release, Google Will Pay $22.5 Million to Settle FTC Charges it Misrepre- 
sented Privacy Assurances to Users of Apple’s Safari Internet Browser, Federal Trade Commis- 
sion (Aug.9, 2012) (available at www.ftc.gov /news-events /press-releases 12012/ 08/ google-wilT 
pay-225-million-settle-ftc-charges-it-misrepresented); Press Release, Online Data Broker Settles 
FTC Charges Privacy Policies were Deceptive, (Sept. 22, 2010) (available at http:/ / www.ftc.gov / 
news-events / press-releases / 2010 / 09 / online-data-broker-settles-ftc-charges-privacy-pledges-were) 
(charging that U.S. Search, Inc.’s promises that they would prevent consumers’ personal infor- 
mation from appearing in their reverse lookup database in exchange for a $10 fee were false); 
Press Release, Agency Announces Settlement of Separate Actions Against Retailer TJX, and Data 
Brokers Reed Elsevier and Seisint for Failing to Provide Adequate Security for Consumers Data, 
Federal Trade Commission (Mar. 27, 2008) (available at http: / / www.ftc.gov /news-events /press- 
releases /2008 /03 / agency-announces-settlement-separate-actions-against-retailer-tjx). 

^''In October of 2012, the FTC alleged that the credit reporting division of Equifax improperly 
sold more than 17,000 “prescreened” lists of consumers who were late on their mortgage pay- 
ments to Direct Lending Source, Inc. and its affiliate companies. Direct Lending subsequently 
resold some of these lists to third parties, who used the lists to pitch loan modification and debt 
relief services to people in financial distress, including to companies that had been the subject 
of prior law enforcement investigations. See Press Release, FTC Settlements Require Equifax to 
Forfeit Money Made by Allegedly Improperly Selling Information about Millions of Consumers 
Who Were Late on Their Mortgages, Federal Trade Commission (Oct. 10, 2012) (available at 
http: / / www.ftc.gov / news-events / press-releases /2012 / 1 0 / ftc-settlements-require-equifax-forfeit- 
money-made-allegedly). 

®'Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of 
18, 26, 29, and 42 U.S.C.). 

2245 C.F.R. Part 160.103. Individually identifiable health information is information which 
can be linked to a particular person. This information can relate to the individual’s past, present 
or future physical or mental health or condition, or, the past, present, or future payment for 
the provision of health care to the individual. 

2 ® 45 C.F.R. Partl60.103. 

24 Exceptions include refill reminders or otherwise communicate about a drug or biologic that 
is currently being prescribed for the individual, only if any financial remuneration received by 
the covered entity in exchange for making the communication is reasonably related to the cov- 
ered entity’s cost of making the communication. 45 CFR 164.501 

2 ® 15 U.S.C. §§ 6501-6506 (Pub.L. 105-277, 112 Stat. 2581-728, enacted October 21, 1998). 
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recognize a user over time and across different websites or online services.^® The 
law specifies what information must be included in the notice provided to parents 
and how and when to acquire parental consent.^^ 

COPPA’s restrictions and protections could apply to this investigation because 
websites have been identified as one of the sources from which data brokers obtain 
consumer information. COPPA does not restrict the collection of a child’s informa- 
tion from the child’s parent or other adult. 


Sample List of Targeting Products 
Identifying Financially Vulnerable Populations 


"Very Elderly" 
"Rolling the Dice" 
"Fragile Families" 

"Small Town 
Shallow Pockets" 

"Ethnic Second- 
City Stragglers" 

"Rural and Barely 
Making It" 


"Burdened by Debt: 

"Struggling 

"Meager Metro 

Singles" 

Elders: Singles" 

Means" 

"Mid-Life Strugglers: 

"Retiring on 

"Relying on Aid: 

Families" 

Empty: Singles" 

Retired Singles" 

"Resilient Renters" 

"Tough Start: 

"Rough 

"Very Spartan" 

Young Single 
Parents" 

Retirement: Small 
Town and Rural 

"X-tra Needy" 

"Living on 

Seniors" 

"Zero Mobility" 

Loans: Young 

"Financial 

"Hard Times" 

Urban Single 

Challenges" 

"Enduring 

Hardships" 

Parents" 

"Credit 

Crunched: City 
Families" 

"Credit Reliant" 

"Humble 

Beginnings" 

"Rocky Road" 


Sample List of Offline Elements 

Available for Online Advertising 

\PP»At>l\III 

Race Code 

Age in Two-Year Range ~ Head of 

Home Loan - Date, Amount 


Household 

Range, Type, Interest Rate Type, 

Owelling Type 

Working Women 

Transaction Type 

Method of Payment - Amex, 

Presence of Children 

Home Purchase Year 

MasterCard, Visa, Discover, Retail 

Adult Age Ranges Present in 

Home Property Type Detail 

Card, House Charge, Other, Cash 

Household 

Home Market Value - Premier 

Recent Home Buyer (6 Months) 

Occupation, Head of Household, 

Ranges 

Recent Mortgage Borrower 

2*^ Person in Household 

Length of Residence - Ranges 

New Parent 

Number of Adults 

Home Total Loan - Ranges 

Vehicle - Intend to Purchase 

Estimated Household Income 

Home Lot Square Footage - Range 

Pet Owner - Cat, Dog, Other 

Generations in Household 

Home Year Built - Range 

Marital Status 

Senior Adult in Household 

Home Square Footage - Range 


Child Nearing High School 

Home Assessed Value - Range 


Graduation in Household 

Home Purchase Amount - Range 

Net Worth 

Reading - Religious/lnspirational 
Interest 

Recent Home Buyer 

Education 


Received New Credit Card 

Frequent Shoppers /Heavy 

Recently 

Dieting / Weight Loss 

Transactor 


Gambling -Casino 


26 16 C.F.R. Part 312.2. 

27 16 C.F.R. Part 312.5. 
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CONSUHCft RfStARCH CeNTEft 




CONSUMER PRODUCT SURVEY OF AMERICA 

FImm hM tlw <|uM*e<viMr* UM out bv th* mtm graoov thocpaf vow housalwM 


Exhibit A 

Number 0 ^ 



Section 1: Household Purchases 


instructions 


1 Siorsge Bags 


4 Purchase Decisions 


t Do you buy these products? 


12 Food Products 


Canwaa* ToMCfuMk 
(•ft or poncoEot 
FcMCUofi 
FrwM rioAM 
froiM Um IWhiOM 


S Mail Order or Catalogs 

1 > Hat TMw boM«l«W Omeu (Of ol *• 
UBawil^ p«a<io> t ST C Utltei» 
•na|fe •# Ml W Ua I ptalfctT 


CMOwoproOKU 

ColacaUai 


3 Pets and Pel Products 




13 Grocery Products 


11 Home Electronics 


Canpact e«« (larit COI 
OVOitara' 


AndtiM 

StecABany 


Taigtl 

Watnvi 

CVS 

WHrMai 

CaalBO 

Sap'tOi* 

CkNtrSUra 

lowt't 

HMAtOapei 

PftCO 

NiSiun 

Ouai 

10 Housekeeping Products 
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PiMM CkKk it TM «• lb 

CigoiiiM 
SmoUtati M6«c«* 

CKMtms 


UMf/tOOi 
(xvi Uwif MR* 


PlMM (featb M • 

Cl|lf*SH 
SnBk*l*K totecco 
C4«« 


Unf/IOM 

(tfbUngMXi 


MMkbrifwal Icbtcli oii> ml 

9r»i«e*rt«i 9v<>*p«(k 0v*«<«nen 

Nam at MMl braid (t Ma— at yaa wit >n»d at cu am* * ^ 

Oa a yaat laa W paebaaa. baa aatf OiilaltFa«Ualldda(baaaa.ha«faaii| 

laaaatarraafaaialbiaBdt aara lai |aar naal teaadt 

MiKiiaMfaaaftkld laataaMKiaOltia 

WMUfaai2*^cbaicabraad(ilaa|t? Vltba a yaar ?** cbaca tiaid (It aayl^ 


H raa aaaal bnad waa aaaridtbit a 
•Ma.iaaaMraa (cbaokaalfaat) 
Goioanoha awaiobvf tow 
uua brand 

Btif anadia bva w tongdi a 
raw uwa) bland 
Bur • Marani brand anaraiy 

sttoaussTOBMceo 


Wba la da affla a raar lataar braad* 

LBaa«Ka>|Cw loaatfFnaCw 

PoaelVfadcW Ua 

Pla| Saw 

What Itaaa a roar ti rWii t r aid* 
Aagtdar. naw at Cl angakal 
Wniartraan Wni 

Svbdbi Ffwarooiw 


Nawa at raw atani biaaid at «i|art* 


H laar aaaat kiaad aiaa anara ri a W t M 
«t*a.waaHTaa ichackaatraaa) 

Goiaanodiar icoracobavrc*i' 
Mwalferand 

Bw anod4f trpt or laaiiti of 
row aaaat broad 
ftw • ddlariiH brand anwatr 


About Your Household 


In wdar lor conpwaaa to Indr undaratand wtal ccnwmaia wnl. ■ « npcrtanl 
l«ilN«eaknowfnaraitian»NaplrbowaucholapioduellaMild Ihaynaddlo 
hard a cttai pKbiro ol ««Ihi la buy^ and «Hir Vnr tco burail. 

Tho MTwr can holp 

ThaWtoiMnidMiBonaafe bamgaabadaaamaanoioblKtroaandraoilaindr** 

lub-frowia. (laa nuias it oasac for aa lo w idat i land your fcatwancaa and aOkadao 


Nana at row rafWat brand at anW 
wnA. dfo. cbawuq Mbacca w aaaat 



Wbai la iba atria at raat rafalw hrandt 

loaaaAtwaCut 

toaaafnaCw 

PcDcVPackM 

Uit 


Snw 

What llatar n raai 

t rafrtar brandt 

tfogafor.nMwWor 

ongwol 

MMiarfraan 

Mm 

Svaghi 

FrwMdiw 


CcmplaMd 4 r** dapiat 
Adrancad dagiat 


1 1 ) Whal W raar auntal ftataft 
Uwrwddr aoinralaM 




UtadwaSKWi 

STUXOioSASBI 

S3SJ300tD$4tiS» 

dsoon 

STUOOtoSSMIb 
SiaDMliaS1«l.t8B 
diauno at onr 


Maaa at raw naait brand at cifarif 


:• ^ dM iiAar •• ewraci llwd>wcarVvdiaiiiia«iBbac<oprDdica.aaiind«awd 

i()0(a,andiMuUbhaiora<aMa promeaonataradiarcwaiinciBoabrlJSraaitandfor 
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PlUSt PfMt 
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Mosaic USA 

OrOMP S Svuggtng SoOMts 

Segment S71; Hard Times 

Oldf, <k>¥fn‘»c»l9 9nd 9thnlc»ily^vn« singles typically concan^fd in innar-eity apartmanta 

Overview 

Han) Tmat are the moat eoononMo<lia>eno*d oonaumars n the US. Ir> these diveree 
houeehoWs found M aging cay netghbofhootft some 40 percem are AfricaivAmencan and 
Aeproponionale nianbars are Htapanc and Asian Mosi of the adutts are behween 50 and 75 
years old. arv) they're Ivirtg ort Iherr owm as drvorcad or widowed individuals WMh thee 
low educaaone achievemeni • only 10 peroere have a college degree • V*ey earn mnimum 
wages as service-seeier werliars One-guarter of households contam a retiree. mcreMlng the 
nwnber of residents getting by on fbced Inoemes. In Hard Times, a maiorNy of householdars 
report ncomes of less than $15,000 a year, nearly a fMh of the nabonal average 

The nsighbortwods of Hard Tunes are typically Med with high- and low-nse apar tm era protects 
Found mostly in aUes east of the Mastssippl. many of these complexes were built in the urban 
r enewal of tfre 1960s to 1960s. when tenement row houses n downtown ghettos were teddoaed 
to create new houeng tor the poor and drsadvantaged Today, however, tttesa butidtngs are 
ofton drlapi dat ad and the eommuntbes are no placa to smfc in roots and raisa a fwnily indeed, a 
maionty of segment reeidants have lived at tw same address for fewer than three years 

Whria Hsrd Tenas nwy ba finattoaay-chaaanged. lhaee unattached smgles aM taka advantage 
ofcityamenaies They reguforty go out to local esteblishmants and cssaxts A relairvaty high 
menber of segment members work in edu cati on and have a passion tor the arts, they go to 
plays, dance parformartcas and claas«al muatt cortearts. AJ home, these wsrtoefhmc 
households kka to tisten to salsa artd tout, read books end magezinee srtd work out on 
treadnslls end rowing macNnee However, they're unkkaly to engsge in outdoor sports Kke 
fishing snd hunbng. These are dly folks who prefer tuMerds to beckpackvig 

In Ihe msrketplBce. these rtoueehokfe canrwl escape thee me a ger budgets They ortsn juggle 
credS cerde to stay afloat, rarely paymg off their balances each morkh Because Iwc-lhirda do 
iwl own a car. Hard Timas tand to patronize local stores wtthm waSung dMance of their home. 

They do anjoy shopping and keeping up with the leiesi stylee. however A brg excursion tor 
these pnee-eens*ve foM « a tnp to Macy's or Mershetis. they're more ikely to prck up 
necetesiee at a Kmart or Famay Dolar store. \Mlh money light, they rarefy asf out not even at 
fast-food restaurants Many woukf prefer to buy fresh foods at naighbeihoedmarkais tor home 
cooking, though they typrcaly s ettts for what trey can afford at ttw local grocery ttore. 

Lnuiad means m Hard Ttmas resuks in a ssiseave madto markal They tack the cars to make a 
dnve-tvne audrerxe Few afford to have a newspaper dakvered to tteir apartments. However, 
toey OTifoy TV. espeoaliy news profpams. moviee, dramas and sitooms They do read a wtde 
range of megaztnes • from Men's HeaHti end ftipufarMs e/ ianres to Etony and the NMtonaf 
Enqui/af Whie few go online, toeir miereets are sanitarty edechc In the digital world social 
networking. heeRh. fantasy sports 

Pege3lO)Oroupan4SsgmsniOse6rpeons Vsrs«<»|t^11 
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H>fdT*ne»tT»en>ber>refct$etobe0e<if>»^»ytfwifconorr>iccycun« a oc«»-Thay<ytupiof 
•dull educaiion come*. tl>ey're eenst a ndy loolung for bener jobt. and they’re tryng lo pursue 
mearsngXii Iwee that don1 require • lot of mortey PoMcady. they ier>d to be moderates who 
support the Oemo cr abc Party Dasprla bein g sngle. Iransanl anti doiwnacale. marty are mvolved 
in their oommutsbes They support focal arts groups, advocate r eeyc*r>g and are vAng to 
votortieer for a good cause Given dwr opfemsm m me face of hardsfap. their Mestyie seeme 
desleied to improve 

Ogtnographica and behavior 
Who wa ar* 

Ties a the bodom of me aoooeoononec larlder. the poorest lifestyle segment in the nation Hard 
Tlmea are older singlee m poor crty neobborheods Hearty three-quanars of the adidls are 
bebreen me ages of SO and 75: mis is an undardass of the wortong poor and desbiuta seniors 
without famly support Twr>-thirds are seigle. rPvorced or widowed Thie la a diverse oonvnunily. 
wim about eo paroant of households Afncer>Amencan. tour emee the national averaga. atong 
wtm sow oM Ke n tra tiona of Htipanica and Aatana Poody-educated.naarty had of household 
heads never graduated from Mgh achool They typcaly hold fobs as service>aecior workers in 
edu ca bon and pitoiic admeiiae ab oo. Orw-quartor of the houaaholds have at leaat one r asrde n l 
who's rafared. 

Where we live 

Locatod pnmanly in a^ng otiaa in ma eastom had of the counby in places Mw Oeboil. Mich . 

Sami Louis, Me . Hamaburg. Pa , and WMheigton, DC , Hard Tlmea ia a world of worn housing 
protects and lertemenl row hoMOS Home vaiuas. at roughly $136,000. are about a third betow 
the U.S average. VMlh many aaneng only miratnum wages, few own a home, mere men go 
peroani are ranters Whee more then a thud live n high-naa tHatdngs. most raatoe m low-nee 
rental unds. kittus Weak world, residents rarely stay mora man a few years, so ntsnl are thay to 
find better |oba and safer acoommodabons Nearly had have bved at the same address tor tower 
than thraa years and Nro-tlwdi tor ftwsr man five years. 

How we live our lives 

Oespile the tow-incoine economca. Iha kfestyla ei Hard Tmas can appear livaly. Many try to 
taka advantage of thee cd/samandias They go to bars, casinos, muaauma. outdoor ooncaits. 
zooa and aquartuma. More twn a few have a odturai sida. as seen in their oocasionai trip to a 
thaaler. ctassKal muse concert or dance performance, an above-average per c emage belong to 
arts groups At homo, they tend to spend thee bma balanmg to muaic • seise, soul and easy 
listening are popular • re edm g books. watOang TV and dong hobbies kke needtowork or 
c oSectn g crystal figures They stil find bma to exercise irtdoor s on baedmills. rowing fnecfw>es 
end mats tor aerobtes. Most shy away from rxigged outdoor activates like fishng. hunting, ice 
skating or wafer skiing 

Hard Tunes like to travel, espeoaliy mose who are fortigrt-borri; they regularty wait their home 
countries In the Cahbbean. Central Amanca and Soum America. They hardly travel in luxury: 
domeebcaly. they're more likely to travel by but or tram raSwr than plane. They stay at diseouni 
hotels Ike Motel 6. Howard Johnson and Travalodga 

Page 311 I Group and Segment Opssreaens Verwon1|2PI1 


EXP002947 



IKS. Senate C ommerce C ommittee 

Mosaic USA 


42 


Exhibit B 


While«cononHca>)r-ch»iltngtd. these downscaltoonsumtrsttin And joy in consumcMion Tlwy 
have a need lor status reoooniliort. and they took for dothes that wH make an affordable iashion 
statement Thee lop-raled retaffars tend to be ddcount chans such as Kmart, f an% Dolar 
Store. Marshaks and Ross Oreaa lor Less Wtih only a third ol householders owninQ a car. many 
adults preler the conveniertce Ol shoppmg al locai stores ever Sie nabonal ehams. but Btey 
atweys wad for sales 


Hard Tenea have averaQe interest n l aiaetad medfo They're only a modest auderKe for radio 
and law subacnbe to a newtpapar. Most rely on TV to atay nformad. and they tka watching 
movtea. aitcamt, reaMy shows, newscasts and cnme dramas Thay also welch cable chenneis 
kke FX, Haknwti Charvtal. SET. TNT and Sp*e Theee restoents ate b^ tone of mmtreem 
end ethnw-targated magaznee Ika Glamour, AnsMtctunI Oigoat. Ebony. Pofiulor Ahdmucs 
and O Thasa housahoWa are not big on the Intemat, but those that do have onine access tend 
to viert sees that iesture health nformatton. gambling and dasaiffads 

Hew wff view the worid 

They may ive in poverty-sincfcen arrvironmants. but Hard Tenet are sM ambibous mobvatod 
and aapee to improve their standard ol livvtg Even in middto age. toey're 40 percent more likely 
than average to sign up for adull education courses They support the repnontsing of money, 
stymg the! how they spend their tens is more importanl than how much money they make. 
Neverth e l es s, ffiey'd tike to fond e betfor |0b Al this stage ol their bves. long tinte Mends are 
more vnportant than family mambars. and they want to earn the respect of their peers. They 
Ineisi that doing one's duty is mere impor ta nt than e n joying foa 

SMth the majority of metTfoer s unm a rried, more Stan half say it’s Import a nl to be attractive, triple 
toe nabonal average Thay maka an effort to keep heakhy. by exerbsing regularly, avoktng last 
food arto watctHog thair caforfoe Whan thay cook, thay ika to buy fresh, natural foods and avoid 
artibcial additnres 

PoMeai nwderaees. a maierty align toem e ei vas with tha Oemocrabc Party, and an above- 
average concerttrabon cfoan to be Indepeodan to Thaea mdwWuaaats twmg between iberal and 
conaervebve afonoes Rekgron pfoys a m^or rofo In their Irfe. and they ike watching reUgious 
progr a ms on TV. While they're not jomers, they do have e oubum streak end belong to arts 
groups They care about toes eommurwy. efoanmg that people have a duty to recycle: they else 
wHI volunteer toe* time ter i good cause 

How wp gst 

As the segntent wrto toe lowest income • under S24.000 • Herd Times earn less then a third of 
tha nabonal average Most have few income-producmg assets end possess no investments 
other toan some taK-sha<fored annutiea and cash managamant acoouvs Thay'ra awa to gat by. 
thay say. bscausa toay're good at managing tha monay that they have Many juggle several 
cre<M cards, thay carry both dsbit and credit cards, and toey have a numbar of bank, charga and 
retaf oredk cards, particuiarty from Sears and JCPemty However, lew pay off toev cards each 
monto • more then 70 pereeni below everege VWiere they espeoeHy stand out is m nsurarKS • 
toey cany bfo. haaffh and rarttofs insuranoa 

Ptga 312 I Group and Segment Osscnpbons Ve<«onl|2011 


EXP002948 



43 


ILS. Senate Commerce Committee Exhibit B 

Mosaic USA 

Digital behavior 

Hard Timn are not very Mamei-actrve. They do va4 eeme Webeaes frequenay. ffexigh. 
espeoafty thoee that dee) wrih the arts. heaVi. oa mfctatg, dating and reig«n However, (hey 
rarely go onlne tor shegpng. banking or makng bavei arrangements SMtile retativety lew 
access the intontet through computers at heme, they wa go onknc usmg a mobSe phone Unlike 
many onlne users, twy'ro pertoctiy happy wSh recerwtg. and respondmg to. smail ads 


Page 313 | Group and Sagmers Deacrpoens 


n I |2011 


EXP002949 



r.S. Senate C ommerce C ommittee 

Mosaic USA 


44 


Exhibit B 


CiOtip $ S»vggtn9 $oa*tn 

Sogmo nt S70: Enduring Hardship* 

Middle-aged, down-scale singles and divorced Individuals In transitional small town and exurtan 

apartments 

Overview 

Money tt ttghl n Enduring HardsNps, a segment of md^e-eged smgies end divofoed individuals 
wdh one of Hie lowest average incomes in the countty Centered in Southern and Midw e stern 
towns and small cities, mese predonananOy wtme households m thee 30s and 40s often struggle 
to support even a simple idesfyis intact lamiasi are a rarity A majonty of households oontarn 
smgle or divorced eidividuals wShoul cMdren. and nearty a quarter are sngie parents rs«ing 
cMdren Most of the aduts have low educations - nearly hvo-thirds (ailed to firvah lagh school - 
end they hold mewnunvwage jotM as laborers end sennce-secior workers 

lAlldi Iheir low incomes, few can afford to own a home Over 95 percent of the householders are 
renters. Iwing n iow-nse projects and duplexes often tocaled in tired and worn neighborhoods 
They express oorK e ms about crime, drugs and potubon. Many are elso rootless and must deM 
wth the cha iengss of a transiant aidstanca. only a smas percentage belongs to a church. PTA 
orovicgroup In ttss segment, two-thirds of the householders have ivad at the same aiMass for 
fewer than three years. 

Whan they're not al work. Enduring Hardships are unabls to afford many laisura actwibas They 
tend to spend their svenmgs at home, watching TV or kslaning to music ThayX oocastonaty 
splurge on a tickat to a cencart or a gambing junket to a casano These folks don't have the 
decratnnary spenOmg to regularly go to mov»s, plays, comedy dubs or even bars Ifihaywant 
to gat outdoor exeroas. theyH canaidsr a fahmg and campmg trip \Mian they want to go out to 
dinner, irs typicsiy to a fast-food cham like Dairy Queert and Church's Fnsd Ctecfcen or to 
Golden Corral for a sit-down dnw. 

As consumers, these pnca-saneitwe shoppers worry about Sving beyond thee means- VMch few 
tovastmantf and savmgs. may get by wrth oc casto nal leane and paying only wtfr cash or money 
orders They patronize discotaa department stores Ike Kmart and Odar General, snywhers 
else, they head nghi for 8>e deerertce recks They shy away from a tol of rrew technology, but 
wl buy etac t ionc s that enhenoe their TV viewing experierroe When s comas to can, they weuk) 
Wte to buy a greeMookmg sports car witoe tot of horsepower under the hood However, nearty 
two-lhirds cannot afford to own a car. These who can typtoaly settle for a used economy car or 
sadan thaTs made in Detrott and won't tpreak down too oOan. 

With nighadt out of ttw question. TV is the duef form of en te r tain menf ei ttes segment Members 
wetoh movies. resMy shews arid aSeema. and thes favorite cable channels mdude Oxygen, TNT 
and CMT VMh thair lew aducabonal a chwv sm artt. Endtamg Hardshfos read few newapepers 
andmegacnes Thay'ra starenglo become mere comfortable wrth thaimamsl.bullhay go 
onbna Mrequantty Sooal media srtas are beginning to atirea them to the virtual world, though. 
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V.S, Senate Commerce ('ommittee ICxhibit B 

Mosaic USA 

These are stresse(»-oul Amencana They «sUke thee lew standard ol Mng but aren't sure if (hey 
cart do much to enpreve iL Many would Hke to start thee own buseiess or try a new Mne of work. 

Though they've typcady ortfy lived in thee neighborhood tor a short erne, diey 're willing to join a 
proteel march to help rtd the streets of drugs and crime Wortia d about tha tolura. they seek out 
ways to ntprove lhair present Ives. 

Demographics and behavior 

Who we ere 

Endunng Hardships are predometendy whde end downecato. with moat marrbar s setgle or 
divorced, though some are older single parents with dependent children A majoMy of household 
heads are between toe ages of 3$ and SO. about SO percent above average The educakonei 
levels tor the adtdls are tow. with tower toen 5 percent hawig a coleg s degree. 60 percent 
never Inahed high school As ■ resuft, nearty hwMhMds of toe adults work at tow- leve r sales or 
service-sector jobs, mostly m haalto care, tood services or tech support, about twice toe nabonel 
average 

Where we live 

Located in exurban towns and smal otoas throughout the Midwest and South. Endunng 
Hardshtos land to ive m tow-rwe a parkments and duplexes Atmost an toe segment members are 
renters, re s tn de d from home ownership by thee low inoomes The neighborhoods are rarely 
hjRunous. residents worry about emte and vielenee in toa area In these iranaitwnal 
neighborhoods, few have deep roots vi toe community Endunng Herdshtos do not oflen belong 
to churches or WK groups More toan 40 percent have kved at toe seme address tor lass than a 
yaar. two-tords tor towar than ihrae years 

How w« live our lives 

Endtfmg Hardships hava quwl Mestyles Aftar long days at work, toayre happy to spend dwir 
evemngs ai home watelmg TV. beterwig to music or coekirig. An ebove-averege number also 
Hies to coaact sports memorabiba These middla-eged smgles wiH occasionally go oul to a 
concert or go on a gambling trip They're toree bmes as bkaiy as lha gertarsi populabon to 
gamble « Adantic Cdy. Otoarw«e. they donT pursue rughttfe or eullural aeswities. A modest 
merkei for atolebe pursuits, they ptoy no orgarszed sports or take desses at health dubs. Among 
households with children, ice sfcMng. water sfung and n4ne sKabng are popMar aclivilies 

Ertourmg Hardships have HHe toscrettonary income tor savel However, aome have takan a 
Btfiamas cruisaii lha last three years, and they Hia to goon ovemighicampmg tope They 
rarely go to wMie-labledoto restaurants, but thesa households do en|oy fast tood. patronizng 
Chavis Ike Oaky Quean, Panere Bread and Church's Fried Chickan These patrons are opatv 
minded artough to try to new toeda and drinks, often ratpondng to ads they see on TV. 

Endunng Hardships kite to shop, but they're vetoe-consoous consumers who dtop at Kmart. 

Dolar General, TJ Man and Rosa Oreaa for Less They're Me adopters when it comes to 
technology, but these selFdeecnbed TV addwts buy DVD players. OVRs «id big-screen TVs. 

Transporting such purchases home is another meoer because nearly 60 percent of households 

P»ge3M|GreupandSegmaf«OcKnpbwis Vs(swn1|2011 
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Mosaic USA 

don't own a car. Tbose who do tartd to drtvt a smM aconomy car or «tar>dard sedan, and nine 
out of tan purchase used cars. In this iMy American’ segment, most cars are made in Detroit 

In En^wng Hardships. TV is the main source of entert amm ent and a constant comparhon They 
can't afford premium channeti. but they watch cable networtis such as CMT. Bravo. Soeprret. 
Oxygen artd TNT. and their favorite programming includes movies, history programs, reality 
shows and anylhmg retaled to auto racing. Their lerMterwy to kslen to Ihe radio « tow, ar>d they 
show ktlle inlerasi in subscribmg to newsoapers and most magazirtes 

How wt view th« worid 

Endunng Hardships may have low educatlorts and limitod sWlls. but they sti express a naad for 
personal achievamani arid a desire to be respected by (heir peers They would tke to start B>air 
own busmass and are wdhng to take nsks to improve thee standard of living. Thay adma that 
owning good-guaMy dungs grves them Joy, but that oAan raqures more money then they have 

In their neighborhoods threetened by crime, (he men er>d women of fhie segment worry about 
what the future holds tor toem. Some say they toel alone in the world arid helplass to change 
Iheir Uvee To oombal iMs tooling, they try to control as much of their kves as poesibte. even rf H 
juei means ksepng a neai houaa 

PolNically. these Amencans aren’t very active, they regoler to vote less than toa average About 
had of aduis are Oemocrets, and they ter>d to be liberai to moderato on moot issues They lend 
to have a global portpeciive. and raspect Pie customs of others and want to stay was m fermed 
about Inismalional issuas However, they are more concerrwd about improving iNngs tocally 
than globsdy 

How w* gat by 

WKh their minimum wages (less than $26.(X)0). the segment's household noome le ordy ■ third 
of Ihe neliorwi average Endunng Hardships barely gel by. They have few savings and tower 
irwome-producing assets The only mvestmeni they tend to have o sawttgt bonds, and even 
then the total valua is typically less than S6.000. Many admit that they know kllto about toianca. 
disiruat banks artd worry that carrywtg aadS cards will restdl in identity tholl. As a result, they 
cortduct most of iheir finertciel transactions with cash, debit cards and mortay orders Some live 
beyond Iheir means, borrowing from loan companies to make ends mset Though tow use 
insuranee. an above-average percentage has taken out Me inswanoe. though ihe amount is 
generally leas than S20.000. 

Digital behavior 

Endiamg Hardships are among the toast Internet-active, but they are graduaty becoming more 
active online. They're fond of silee that offer eooal r>eNvQrking. games, aucbora. shoppng 
coupons, sports scores and dating connacbons. Among their fsvome sites; myspece com. 
delehookup.com. iwtn.com and pogo oom. They’re responsive to Internet ads; they cfrck on 
email promobons artd sponsored Websites Hovrever. because many can’t afford to buy 
contputar eguipmani artd modems. Ihey'ra twice as tikefy as average Antencans to go ortkne 
through school and Itorary computers 
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Tough Start: 

Young Single Parents 


adD/ 


Exhibit B 

■ . 


Group A - Cluster 1 

Ufestage 

bKome 

Spending 

OedH 



% of U.S. Housohotds: 0.6% 
Number of Househotds: 749,413 


Cluster Description 

The$e young single parents often struggle to make ends meet, as their discrettonary spendirtg r>earty outpaces 
their very modest ircomes. They are lately have poor crecSt histories, may have difficulty obtaining credit, and 
tend to rely heavily on the few cards they do have. However, they firxl the ups and downs of the ftnartdal martcets 
excitir>9. Easay swayed, these shopaholics late to dress in the latest fashions artd strive to achieve a higher social 
status. These struggiirtg sngies frequently turn to advertising to get information about bargains, but their chadren 
tend to have a large impact on the brar>ds they end up buying. They speryf nxst of their free time with their kids, 
primariy at home so they can catch up on housework, and they j^efer picking up quick meals at ^ food 
restaurants to cooking meals. 



I 


O 

O 

z 


Demographic Summary 

Income Tier Low (Under $50k) % Menled: 37% 

Age Tien Young (Urtder 35) % with Children: 100% 

Median Age: 29 


Ecor>omic Summary 



EconomicCohorts 


EQlJlfMX- 





48 



Relying On Aid: 

Retired Singles 

Group D - Cluster 18 


Exhibit B 


Ufestage 


Spending 


% of U^. Households: 1.8% 
Number of Households: 2.127,412 


l\ene>ierhaditeasjr.Ne\^taM. never mil. 


Cluster Description ^ 

These sirtgle retirees of limited mear>s and meager retirement savings are iust barely able to make ends meet. 
WNIe they try to curtail expenses, their discretionary spending accounts for a large portion of their modest 
incorries. They rely on a smaH number of credit accounts ar>d loans, but thair credit utiltzation Is stM moderate. 
With only a high school education at best, it has been hard to get ahead. Poorty insured and Medicare/Medicaid - 
dep6r>dent, they are ganaraOy pessimistic about their economic situation. They try to cut back and save whenever 
possible, but it is hard given their limited means. Preferring to stay does to home, their lives are pretty much the 
same from weak to weak. In fact many hava lived in the same home for over 20 years. Fakty sadantary, they 
spend their time working on their coin collections, watching TV, and playing bingo. 


Demographic Summary 
Income Tier Low (Urtder SSOk) 
Age Tien Retired (66^) 

Median Age: 75 


% Married: 22% 

% with Children: 3% 


EconomicCohorts 
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ILS. Senate Commerce Committee Exhibit B 


X-tra Needy 

This Niche is heeded by an older person, generally in their mid'60's. There are no 
children present in these households, but there is a great (merest in grandchildren. 
About three-quarters of this Niche own their homes, whkh are valued at about 
$110,800. They have lived in them for nearly 13 years on average. The majority of X-tra 
Needy households have slightly more than a high school education ar>d most are 
employed in blue collar occupations: many of the households in this Niche are retired. 

Nearly 20X percent of X-tra Needy households are known credit card owrters. They 
have modest irKomes ar>d are r>ot very ecorsomkally active with only $1,000 in recem 
discretior\ary spending occurring in catalogs, ordlrsc and retail. Catalog is the strongest 
purchase medium for this Niche. Aisd. when they do shop, they purchase automotive 
accessories, home dicor. books, magazines, and low-ticket male and female apparel. 

They take a great interest in improving their health, nutrition/dieting, and donating 
when possible to rrsedkal causes. Grarsdchildren are a major interest In their lives, as 
are sweepstakes, bible reading, musk, books, hobbies, and collectibles. They also enjoy 
fishing ar>d other outdoor activities. 


SuperNkhes - With MOM uniqiie insiglit into all of AmerkaX 
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Exhibit B 


Very Spartan 

This Nkhe is composed of households who do not have children; about half live in 
rented unitv The average home value for those that do own ihek homes is about 
$105,500. The households in this Nkhe are highly mobile af>d have very short lertgth of 
residences, usually less than 5 years. These are mostly blue collar vrorkers that have a 
high school diploma or some college educatkw. 



Very Spartan households have few credit cards, and make few purchases, with only 
$600 in recent discretionary ^end recently. When they do spend, the households it 
this Niche purchase automotive accessories, home decor, beauty supplies, 
hunting/fishing cquipmem. magazines, and iow*ticket apparel. 


$ 26,949 


39 


Their interests include book reading, contests/sweeps, musk, sports, fishing, automo' 
tive work. ar>d collectibles. Other outdoor interests include camping and hiking. In 
additk^^ they are concerned with their health and like receiving health related infor- 
mation in the mall. 


AVIRACC ICNCTH OT RESlOCNa 

5 


HNCfNTWTTHKIOS 

2 % 
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Exhibit C 


OExperian- 


A world of insight 


ChoiceScore 

Improve ta^eting and customer acquis^n in the untapped under-banked 
population 

OtokeScort, a new Kortng tool from Etpertan. helps marketers identify arxi more 
effcctfvely market to ursder-banked contumen usmg the most comprehensive array of 
non-cieditdata available from Experiarv irKkjdirtgcervsumer. demographic, behavioral 
arvJ geo demographic mforrrtadorv Increase responses ar>d approval rates for greater 
profitability by reachirsg the fastest -growirsg derrtographk segment in the U.S. irscluding 
thin file popdatiorsi, emergirtg consumers and rton-bureau matches, veth your 
irwitation to apply (ITA) direct rrtatkctmg campaigm 


Target ursder -marketed r>ew prospect 
segments eager to accept direct 
rrurkeling offers 

Having access to fredi leads is the Mebtood of 
dirvet marketing Urvter-banked and emerging 
cemumers offer marketers a largdy untapped 
pool as an altematM to often satiaated prmary 
markets Each year. imdtniMrfced consumers 
alone spend nearly S1 1 blbon on norvtraditnnal 
financid transactions like payday loarts and 
<hKk<aiNng saivkts. and conduct mere than 
MO non-bark transactiora 

ChokeScor* helpt you identify under-banked 
and emerging consumers kfcely to be the most 
resporvfve to targeted campaigns, such as 
imiiMlons to apply oedt offers, including: 

• New legal invrigrants 

• hecent graduates 

• VMows 

• Those wrih a generation bos against the use 
of credii 

« f ollowers ol religions that hiaorieaiy have 
dscouraged credit 

• Consumers wHh transtory lifestyles, such as 
mirtjry persormei 

In total, das largely untapped demographic 
segment represents more than 30 mffion 
households and 77 iiii«n consumers - more 
than one-third of the entire U.S. population 


Apply two ChokeScor* models to 
confidently guide dccislonirtg 
C hokeSoore was buit usmg a combinatian of 
Cepenan databases, rradded data and pubke and 
pioprietary data souroei usirtg ChokeScoreS two 
custom models, you can seleci ar>d tea rkfferent 
conMerree leveb arid target «eci1ic cora u meis 
based on potential nsk 
The lira model idenofm and aspgns a 
corddanct score determning the properady 
for a coraumer to be in the under-barked 
population. The second model apples a score to 
identify the moa and least desirafaie consumers 
vMihin the ChokeScore pepiiatnn that can be 
mduded wkNn an imitation to apply (drect 
irsarketmg campaigr) 

SpecifkaMy the models ivere: 

• 8uNt uang a defined urwerse of records 
identified as underbanked as the baseAne 
analysis file 

■ Designed to be appked « unisan 
or independently 

• Budt and scored in denfrdecites(S% breaks) 
for added granulanty with scores appended 
al (he indKwkal twel, but aggregated at the 
household level 
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Mak* iht appropriate product or service 
offer to profitably penetrate ur>der 
banked corHumeri 
Marketer the vmrtg product to coroumcrs 
can con mMions of dolan Often underbanked 
comumen are urkryming^ marketed to only to 
be dedned upon responding due to tad; Of credit 
history, or dscouraged from apptying because the 
product Offer is beyond tfwr meara. 

mstead. ChokeScore helps you svategicaey 
segment groups based on your campaign 
ebiectives and goals so that you ha« the 
greatest charKe for success by making the right 
offer 10 the right auttonce. BuM trust and gain 
acceystance by leatfeng wiSi products and 
serwcts often used by this target audence 
kke check cashing, savings accounts and auto 
loarB. later, you can Increase your profos by 
cross scing other prodictt to yav new base of 
guiWied consumers 


Depend on the information 
industry leader 

Dpcrian is ltd) in the currency of marketing - 
customer and market mformaaon. Using our 
unparalleled depth and breadlh of irformallorv 
CheiceScore helps you manage accMSrtion 
littv adMW higher response rates and devekp 
profitable campaigm. 

To find out more about ChoiceScote. 
contact your (apcrian Sales representative, 
can MO S20 1221. or visit our Web tile at 
WWW eaperian.com 


47S Anton Blvd. • Costa Mesa. CA 92626 • 800 S20 1221 • www.eapaf1an.com 


ilMir^PbpinanMamwMnSeMamK. 1007 AI<i|l>oiMWd 
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The Chairman. One of the things that we have learned in this 
investigation is that data brokers engage in many unobjectionable 
activities. They do what marketers have always done: They help 
businesses find potential customers. 

But we have also found some practices that raise some serious 
consumer protection concerns. In particular, I am disturbed by the 
evidence showing that the data brokers segment Americans, cat- 
egorize them into categories, name those categories, based on their 
incomes, and then they sort economically vulnerable customers into 
groups with names like “rural and barely making it” — not making 
it up, that is one of their categories — “tough start: young single 
parents”; “rough retirement: small-town and rural seniors”; and 
“zero mobility.” 

I want to know how and why data brokers are putting American 
consumers into categories like these, and I want to know which 
companies are buying these lists to target their marketing to these 
groups. Maybe it is totally innocuous and benign. I don’t start out 
accepting that, but maybe it is. That is why we are doing this in- 
vestigation. 

Some companies in the data broker industry have responded 
positively to our oversight efforts. 

When I became Chairman here several years ago, we went over 
to Henry Waxman and stole a couple of his best people and set up 
an investigations unit, which for some reason we had never had. 
And we gave ourselves subpoena power; for some reason, we had 
never done that. It is a powerful tool when you are doing investiga- 
tions, which is what we tend to do in here. 

I want to know which companies are buying these lists to target 
their marketing to those groups. 

Some companies in the data broker industry have responded very 
positively to our oversight efforts. Over the past year, they have 
provided complete answers to my questions, even the tough ones. 

But several of the largest data brokers — specifically, Acxiom, Ep- 
silon, and Experian — are continuing to resist oversight, just resist 
it. To date, they have not given me complete answers about where 
they get their customer data on consumers and to whom they sell 
it. 

I am putting these three companies on notice today that I am not 
satisfied with their responses and I am considering further steps — 
and I have steps that I can use — that I can take to get this infor- 
mation. We have oversight over this activity in American com- 
merce. And if you do oversight, whether it is over intelligence or 
whether it is over this, you do it seriously and you do it with a pur- 
pose and you want to get the truth. 

So I am putting these companies on notice that I am not satisfied 
and I have further steps that I can take to get this information. 
And I want to assure them that the oversight efforts in this com- 
mittee that we have started will continue. 

I call now on my distinguished friend from a similar urban 
state 

Senator Thune. That is right. 

[Laughter.] 

The Chairman. — Senator John Thune. 
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STATEMENT OF HON. JOHN THUNE, 

U.S. SENATOR FROM SOUTH DAKOTA 

Senator Thune. Well, thank you, Mr. Chairman, for holding this 
hearing. 

And thank you also to the witnesses for coming here today. 

Our economy is increasingly data-driven, and data brokers play 
a growing role in facilitating the provision of goods and services to 
consumers. Data or information brokers are companies that collect 
data, including personal information, about consumers from a wide 
variety of sources, such as public records, websites, and retailers, 
and then resell such information for purposes that range from 
verifying an individual’s identity to preventing fraud to marketing 
products. 

As the Chairman noted in his initial letters to several data bro- 
kers in 2012, the purpose of his inquiry has been to better under- 
stand the industry and I look forward to today’s hearing as we 
focus on how the information collected by data brokers is used for 
marketing purposes. 

Without question, data-driven marketing can provide benefits 
and greater convenience to consumers. It can lower the cost of 
products and services because businesses can target marketing 
more precisely. It also can help businesses create and sell products 
that consumers actually want, lowering start-up costs for new busi- 
nesses. 

Data-driven marketing is one important reason that many of us 
are able to use search engines and our e-mail accounts for free. It 
also allows consumers to receive frequent-shopper benefits and cou- 
pons. And it promotes the targeting of resources to reduce the 
amount of junk mail and catalogs that aren’t tailored to a con- 
sumer’s particular interests — at least, that is the goal. 

Put simply, this industry is at the center of something the Com- 
merce Committee cares about: commerce. In today’s economy, data- 
driven marketing is widely used across all sectors of the economy: 
financial, insurance, automotive, retail, technology, health care. It 
is even used by nonprofits, governments, and political campaigns. 
In fact, many media outlets have noted how the use of commercial 
data resources helped the president’s reelection campaign in 2012. 

As we will hear from the Direct Marketing Association, the mar- 
keting data industry is also helping to fuel job creation and tech- 
nical innovation in our slowly recovering economy. 

While the industry creates many benefits, this hearing will also 
explore important questions about the privacy implications of data 
brokers’ activities, including issues of transparency, profiling, and 
concerns about allegations of differential pricing. 

Questions have also been raised about whether consumers are 
aware of the instances in which their personal information may be 
collected, bought, and sold, resulting in calls for more transparency 
into data broker practices. 

Advocates have also raised concerns that data brokers create pro- 
files of individual consumers based on the aggregation of sensitive 
and sometimes personal data, including health conditions. 

These are important issues, and I look forward to the discussion 
today. 
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In a rapidly changing marketplace, the Federal Trade Commis- 
sion has done important work concerning data brokers and related 
privacy issues, including developing educational efforts. They have 
also brought enforcement actions under the FTC Act and the Fair 
Credit Reporting Act. The FTC is also completing a study about 
practices in the data broker industry and will provide recommenda- 
tions to Congress based on their findings next year. I look forward 
to their testimony. 

The Government Accountability Office has recently produced a 
report on the data broker industry, which I understand will be sub- 
mitted as part of the record for this hearing as well as to help in- 
form this committee. 

[The report follows:] 


GAO Highlights 

Why GAO Did This Study 

Members of Congress and others have raised privacy concerns about information 
resellers (data brokers) and consumer information. In part, their concerns stem from 
consumers not always knowing the nature and extent of the information collected 
and how it is used. Growing use of the Internet, social media, and mobile applica- 
tions has intensified privacy concerns because these media greatly facilitate gath- 
ering of personal information, tracking of online behavior, and monitoring of individ- 
uals’ locations and activities. This statement for the record discusses: (1) existing 
Federal laws and regulations on the privacy of consumer information held by infor- 
mation resellers, (2) any gaps that may exist in this legal framework, and (3) views 
on approaches for improving consumer data privacy. 

This statement draws from a September 2013 report (GAO-13-663), which fo- 
cuses on information used for marketing. GAO analyzed relevant laws and regula- 
tions; interviewed representatives of Federal agencies, trade associations, consumer 
and privacy groups, and resellers; and identified and reviewed approaches for im- 
proving consumer data privacy. 

What GAO Recommends 

In September 2013, GAO suggested that Congress should consider strengthening 
the consumer privacy framework and review issues such as the adequacy of con- 
sumers’ ability to access, correct, and control their personal information; and privacy 
controls related to new technologies such as web tracking and mobile devices. 

Information Resellers 

Consumer Privacy Framework Needs to Reflect Changes in Technology 
and the Marketplace 

What GAO Found 

No overarching Federal privacy law governs the collection and sale of personal in- 
formation among private-sector companies, including information resellers. Instead, 
laws tailored to specific purposes, situations, or entities govern the use, sharing, and 
protection of personal information. For example, the Fair Credit Reporting Act lim- 
its the use and distribution of personal information collected or used to help deter- 
mine eligibility for such things as credit or emplojunent, but does not apply to infor- 
mation used for marketing. Other laws apply specifically to health care providers, 
financial institutions, or to the online collection of information about children. 

The current statutory framework for consumer privacy does not fully address new 
technologies — such as tracking of online behavior or mobile devices — and the vastly 
increased marketplace for personal information, including the proliferation of infor- 
mation sharing among third parties. No Federal statute provides consumers the 
right to learn what information is held about them for marketing and who holds 
it. In many circumstances, consumers also do not have the legal right to control the 
collection or sharing with third parties of sensitive personal information (such as 
health information) for marketing purposes. As a result, although some industry 
participants have stated that current privacy laws are adequate, GAO found that 
gaps exist in the current statutory framework for information privacy. The frame- 
work also does not fully reflect the Fair Information Practice Principles, widely ac- 
cepted principles for protecting the privacy and security of personal information that 
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have served as a basis for many privacy recommendations Federal agencies have 
made. 

Views differ on the approach that any new privacy legislation or regulation should 
take. Some privacy advocates have argued that a comprehensive privacy law would 
provide greater consistency and address gaps in law left by the current sector-spe- 
cific approach. Others have stated that a comprehensive, one-size-fits-all approach 
would be burdensome and inflexible. Some privacy advocates also cited the need to 
provide consumers with greater ability to access, control the use of, and correct in- 
formation about themselves, particularly for data being used for purposes different 
than those for which they originally were provided. Industry representatives have 
asserted that restrictions on the collection and use of personal data would impose 
compliance costs, inhibit innovation, and reduce consumer benefits. Nonetheless, the 
rapid increase in the amount and type of personal information that is collected and 
resold warrants reconsideration of how well the current privacy framework protects 
personal information. The challenge will be providing appropriate privacy protec- 
tions without unduly inhibiting the benefits to consumers, commerce, and innova- 
tion that data sharing can accord. 


Prepared Statement of Alicia Puente Cackley, Director Financial Markets 
AND Community Investment, U.S. Government Accountability Office 

Chairman Rockefeller, Ranking Member Thune, and Members of the Committee: 

I am pleased to submit this statement on our recent work on privacy, personal 
information, and information resellers.'^ As you know, information resellers (also 
known as data brokers) offer several types of products to customers that include re- 
tailers, advertisers, individuals, nonprofit organizations, law enforcement, and gov- 
ernment agencies. This statement is based on a report we issued this September in 
response to a request from this committee to review privacy issues related to the 
consumer data that information resellers collect, use, and sell. Others also have 
raised privacy concerns about resellers and consumer information. In part, their 
concerns stem from consumers not always knowing the nature and extent of the in- 
formation collected and how it is used. Moreover, growing use of the Internet, social 
media, and mobile applications has intensified privacy concerns because these media 
greatly facilitate the gathering of personal information, tracking of online behavior, 
and monitoring of individuals’ locations and activities. 

Our September report examined: (1) existing Federal laws and regulations related 
to the privacy of consumer information held by information resellers, (2) any gaps 
that may exist in this legal framework, and (3) views on approaches for improving 
consumer data privacy. We focused on privacy issues related to information used for 
marketing and individual reference services (look-up or people-search); we did not 
focus on information used for other purposes such as determining credit or employ- 
ment eligibility.^ 

For our September 2013 report, we reviewed and analyzed relevant laws, regula- 
tions, and enforcement actions. We interviewed representatives of Federal agencies, 
trade associations, consumer and privacy groups, and resellers to obtain their views 
on data privacy laws related to resellers. We identified and reviewed approaches 
(legislative, regulatory, or self-regulatory) for improving consumer data privacy that 
Federal entities — such as the White House, Federal Trade Commission (FTC), and 
Department of Commerce (Commerce) — or representatives of industry, consumer, 
and privacy groups advocated. We interviewed representatives of these entities and 
reviewed relevant studies, hearings, position papers, public comments, and other 
sources. Further details of our scope and methodology can be found in our published 
report. 

We conducted the performance audit on which this statement is based from Au- 
gust 2012 through September 2013, in accordance with generally accepted govern- 
ment auditing standards. Those standards require that we plan and perform the 
audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that the evidence 


1 GAO, Information Resellers: Consumer Privacy Framework Needs to Refleet Changes in Tech- 
nology and the Marketplace, GAO— 13— 663 (Washington, D.C.: Sep. 25, 2013). 

2 In a 2006 report, we examined financial institutions’ use of information resellers, focusing 
on consumer information used for eligibility determinations, compliance with legal require- 
ments, and fraud prevention. GAO, Personal Information: Key Federal Privacy Laws Do Not Re- 
quire Information Resellers to Safeguard All Sensitive Data, GAO-06— 674 (Washington, D.C.: 
June 26, 2006). 
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obtained provides a reasonable basis for our findings and conclusions based on our 
audit objectives. 

Background 

Resellers maintain large, sophisticated databases with consumer information that 
can include credit histories, insurance claims, criminal records, employment his- 
tories, incomes, ethnicities, purchase histories, and interests. Resellers largely ob- 
tain their information from public records, publicly available information (such as 
directories and newspapers), and nonpublic information (such as from retail loyalty 
cards, warranty registrations, contests, and web browsing). Characterizing the pre- 
cise size and nature of the reseller industry can be difficult because of limited pub- 
licly known information about the industry. 

In 1972, a U.S. government advisory committee first proposed the Fair Informa- 
tion Practice Principles (FIPP) for protecting the privacy and security of personal 
information. While FIPPs are not legal requirements, they provide a framework for 
balancing privacy with other interests. The Organisation for Economic Co-operation 
and Development (OECD) developed a revised version of the EIPPs that has been 
widely adopted (see table 1).^ 


Table 1. — Fair Information Practice Principles 

Principle 

Description 

Collection limitation 

The collection of personal information should be hmited, obtained by 
lawful and fair means, and, where appropriate, with the knowledge or 
consent of the individual. 

Data quality 

Personal information should be relevant to the purpose for which it is 
collected, and should be accurate, complete, and current as needed for 
that purpose. 

Purpose specification 

The purposes for the collection of personal information should be dis- 
closed before collection and upon any change to those purposes, and the 
use of the information should be limited to those purposes and compat- 
ible purposes. 

Use limitation 

Personal information should not be disclosed or otherwise used for pur- 
poses other than a specified purpose without consent of the individual or 
legal authority. 

Security safeguards 

Personal information should be protected with reasonable security safe- 
guards against risks such as loss or unauthorized access, destruction, 
use, modification, or disclosure. 

Openness 

The public should be informed about privacy poHcies and practices, and 
individuals should have ready means of learning about the use of per- 
sonal information. 

Individual participation 

Individuals should have the following rights: to know about the collec- 
tion of personal information, to access that information, to request cor- 
rection, and to challenge the denial of those rights. 

Accountability 

Individuals controlling the collection or use of personal information 
should be accountable for taking steps to ensure the implementation of 
these principles. 


Source: OECD. 


FIPPs served as the basis for the Privacy Act of 1974 — which governs the collec- 
tion, maintenance, use, and dissemination of personal information by Federal agen- 
cies.^ The principles also were the basis for many FTC and Commerce privacy rec- 


^ Organisation for Economic Co-operation and Development, Guidelines on the Protection of 
Privacy and Transborder Flow of Personal Data {Paris, France: Sept. 23, 1980). OECD’s 30 
member countries include the United States. OECD has been considering whether to revise or 
update its privacy guidelines to account for changes in the role of personal data in the economy 
and society. 

4Pub. L. No. 93-579, 88 Stat. 1896 (1974) (codified as amended at 5 U.S.C. §552a). The act 
generally prohibits (with a number of exceptions) the disclosure by Federal entities of records 
about an individual without the individual’s written consent and provides U.S. persons with a 
means to seek access to and amend their records. 
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ommendations and for a framework for consumer data privacy the White House 
issued in 2012.® 

Several Laws Apply in Specific Circumstances to Consumer Data That 
Resellers Hold 

No comprehensive Federal privacy law governs the collection, use, and sale of per- 
sonal information by private-sector companies. More narrowly tailored laws govern 
the use, sharing, and protection of personal information — they apply for specific pur- 
poses, in certain situations, to certain sectors, or to certain types of entities. The 
primary laws include the following: 

Fair Credit Reporting Act (FCRA).^ FCRA protects the security and confiden- 
tiality of personal information collected or used to help make decisions about 
individuals’ eligibility for credit, insurance, or employment.'^ It applies to “con- 
sumer reporting agencies” (such as credit bureaus) that provide “consumer re- 
ports.” ® 

Gramm-Leach-Bliley Act (GLBA)A GLBA protects nonpublic personal informa- 
tion that individuals provide to “financial institutions” or that such institutions 
maintain. GLBA sharing and disclosure restrictions apply to financial institu- 
tions or entities that receive nonpublic personal information from such a finan- 
cial institutions. For example, a third party that receives nonpublic personal 
information from a financial institution to process consumers’ account trans- 
actions may not use the information or resell it for marketing purposes. 

Health Insurance Portability and Accountability Act (HIPAA)A^ HIPAA estab- 
lishes a set of national standards to protect certain health information. The 
HIPAA privacy rule governs the use and disclosure of an individual’s health in- 
formation for purposes including marketing, With some exceptions, the rule 
requires an individual’s written authorization before a covered entity — a health 
care provider that transmits health information electronically in connection 
with covered transactions, health care clearinghouse, or health plan — may use 
or disclose the information for marketing, The act does not directly restrict 
the use, disclosure, or resale of protected health information by resellers or oth- 
ers not considered covered entities under the act. 

Children’s Online Privacy Protection Act (COPPA)A^ COPPA and its imple- 
menting regulations apply to the collection of information — such as name, e- 
mail, or location — that would allow someone to identify or contact a child under 
13.1® Covered website and online service operators must obtain verifiable paren- 
tal consent before collecting such information. COPPA may not directly affect 
information resellers, but the covered entities are potential sources of informa- 
tion for resellers. 

Electronic Communications Privacy Act (ECPAjA"^ ECPA prohibits the intercep- 
tion and disclosure of electronic communications by third parties unless an ex- 
ception applies (such as one party to the communication consenting to disclo- 
sure). For example, the act would prevent an Internet service provider from 


®The framework includes a consumer privacy bill of rights and encourages Congress to pro- 
vide FTC with enforcement authorities for the bill of rights. The White House, Consumer Data 
Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation 
in the Global Digital Economy (Washington, D.C.: Feb. 23, 2012). 

6 Pub. L. No. 91-508, Tit. VI, 84 Stat. 1114, 1128 (1970) (codified as amended at 15 U.S.C. 
§§ 1681-1681X). 

■'See 15 U.S.C. §1681. 

® For the definition of “consumer reporting agency”, see 15 U.S.C. § 1681a(f). For the definition 
of “consumer report”, see 15 U.S.C. § 1681afd). 

®Pub. L. No. 106—102, 113 Stat. 1338 (1999) (codified as amended in scattered sections of 12 
and 15 U.S.C.). 

i®See 15 U.S.C. §§6801-6802. Subtitle A of Title V of the act contains the privacy provisions 
relating to the disclosure of nonpublic personal information. 15 U.S.C. §§ 6801—6809. 

1^15 U.S.C. §6802. A “financial institution” is any institution the business of which is engag- 
ing in financial activities as described in section 4(k) of the Bank Holding Company Act (12 
U.S.C. § 1843(k)). 15 U.S.C. § 6809(3)(a). 

i®Pub. L. No. 104-191, 110 Stat. 1936 (1996) (codified as amended in scattered sections of 
18, 26, 29, and 42 U.S.C.). 

“45 C.F.R. Parts 160, 164. 

i^For the definition of “marketing”, including exceptions, see. 45 C.F.R. §164.501. 

“Pub. L. No. 105-277, Div. C, Tit. XHI, 112 Stat. 2681-728 (1998) (codified at 15 U.S.C. 
§§6501-6506). 

“FTC issued regulations implementing COPPA, 16 C.F.R. Part 312. 

I'^Pub. L. No. 99-508, 100 Stat. 1848 (1986) (codified as amended in scattered sections of 18 
U.S.C.). 
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selling the content of its customers’ e-mails to a reseller for marketing purposes, 
unless the customers had consented to disclosure. However, ECPA provides 
more limited protection for information considered to be “non-content,” such as 
a customer’s name and address. 

Federal Trade Commission Act (FTC Act), Section 5.^® The FTC Act prohibits 
unfair or deceptive acts or practices in or affecting commerce. Although the act 
does not explicitly grant FTC the specific authority to protect privacy, it has 
been interpreted to apply to deceptions or violations of written privacy policies. 
For example, if a retailer’s written privacy policy stated customers’ personal in- 
formation would not be shared with resellers and the retailer later sold informa- 
tion to such parties, FTC could bring an enforcement action against the retailer 
for unfair and deceptive practices. 

As they relate to specific types of consumer services or records, other Federal pri- 
vacy laws also may apply to information resellers’ practices and products. For in- 
stance, while not specifically a privacy law, the Computer Fraud and Abuse Act 
(CFAA) can restrict a third party from collecting personal information from a 
website when the collection would violate the site’s terms of service. The Tele- 
communications Act requires telecommunications carriers to protect the confiden- 
tiality of proprietary information of customers.^® 

Laws Have Limited Scope over Personal Data Used for Marketing 

Privacy protections under Federal law have been limited for consumer data used 
for marketing. The scope of protections is narrow in relation to individuals’ ability 
to access, control, and correct their personal data; collection methods and sources 
and types of information collected; and new technologies. 

Laws Provide Individuals Limited Ability to Access, Control, and Correct Their Per- 
sonal Data 

No Federal statute that we examined generally requires resellers to allow individ- 
uals to review personal information (intended for marketing purposes), control its 
use, or correct it. The FIPPs (for collection limitation and openness) state that indi- 
viduals should be able to know about and consent to the collection of their informa- 
tion, while the individual participation principle states they should have the right 
to access the information, request correction, and challenge the denial of those 
rights. 

No Federal statute provides consumers the right to learn what information is held 
about them and who holds it for marketing or look-up purposes. FCRA provides in- 
dividuals with certain access rights, but only when information is used for credit 
eligibility purposes.. And GLBA’s provisions allowing consumers to opt out of having 
their personal information shared with third parties apply only in specific cir- 
cumstances. Otherwise, individuals cannot require that their personal information 
not be collected, used, and shared. Also, no Federal law provides correction rights 
(the ability to have resellers and others correct or delete inaccurate, incomplete, or 
unverifiable information). 

Laws Largely Do Not Address Data Collection Methods, Sources, and Types 

Federal privacy laws are limited in addressing the methods by which, or the 
sources from which, resellers collect and aggregate personal information, or the 
types of information collected for marketing or look-up purposes. FIPPs (for data 
quality, purpose specification, and collection limitation) state that personal informa- 
tion should be relevant, limited to the purpose for which it was collected, and col- 
lected with the individual’s knowledge or consent. 

Federal laws generally do not govern the methods resellers may use to collect per- 
sonal information. An example of such a method is “web scraping,” in which re- 
sellers, advertisers, and others use software to search the web for information about 
individuals and extract and download bulk information from websites with con- 


U.S.C. §45. Section 5 of the FTC Act, as originally enacted, only related to “unfair meth- 
ods of competition.” The Wheeler-Lea Act, passed in 1938, expanded the Commission’s jurisdic- 
tion to include “unfair or deceptive acts or practices.” Wheeler-Lea Amendments of 1938, Puh. 
L. No. 75-447, 52 Stat. 111. 

19 Pub. L. No. 99-474, 100 Stat. 1213 (1986) (codified as amended at 18 U.S.C. §1030). Courts 
have held that CFAA prohibits access to websites when that access exceeds the sites’ terms of 
use or end-user license agreements. See, e.g., Snap-On Bus. Solutions Inc. v. O'Neil & Assoc., 
Inc., 708 F.Supp. 2d 669 (N.D. Ohio 2010); Southwest Airlines Co. v. Farechase, Inc., 318 
F.Supp. 2d 435 (N.D. Tex. 2004); America Online, Inc. v. LCGM, Inc., 46 F.Supp. 2d 444 (E.D. 
Va. 1998). 

29 Pub. L. No. 104-104, 110 Stat. 56 (1996) (codified as amended in scattered sections of 15 
and 47 U.S.C.). 
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Sumer information. Resellers or retailers also may collect information indirectly (by 
combining information from transactions). 

Current law generally allows resellers to collect personal information from sources 
including warranty registration cards, surveys, and online sources such as discus- 
sion boards, social media sites, blogs, and web browsing histories and searches. Cur- 
rent law does not require disclosure to consumers when their information is col- 
lected from these sources. 

The Federal laws that address the types of consumer information that can be col- 
lected and shared are not comprehensive. Under most circumstances, information 
that many people may consider very personal or sensitive can be collected, shared, 
and used for marketing. This can include information about physical and mental 
health, income and assets, political affiliations, and sexual hahits and orientation. 
For health information, HIPAA provisions apply only to covered entities. 

Current Law Does Not Directly Address Some Privacy Issues New Technology Raises 

The current privacy framework does not fully address new technologies such as 
social media, web tracking, and mobile devices. In a 2013 report, FTC noted that 
mobile technologies present unique privacy challenges (for instance, mobile devices 
identify a user’s geographical location). As shown in figure 1, the original enact- 
ment of several Federal privacy laws predates these trends and technologies. 


Federal Trade Commission, Mobile Privacy Disclosures: Building Trust through Trans- 
parency (Washington, D.C.: February 2013). 
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Figure 1 : Dates of Enactment of Key Federal Privacy Laws and the Introduction of 
New Technologies 



Source: GAO. 

Note: The most recent amendments to the Federal laws referenced in figure 2 are as follows: 

• Federal Trade Commission Act of 1914: last amended July 21, 2010 (Pub. L. 111-203). 

• Fair Credit Reporting Act of 1970: last amended Dec. 18, 2010 (Pub. L. No. 111—319). 

• Family Educational Rights and Privacy Act of 1974: last amended Jan. 14, 2013 (Pub. 
L. No. 112-278). 

• Electronic Communications Privacy Act of 1986: last amended Oct. 19, 2009 (Pub. L. No. 
111-79). 

• Video Privacy Protection Act of 1988: last amended Jan. 10, 2013 (Pub. L. No. 112-258). 

• Driver’s Privacy Protection Act of 1994: last amended Oct. 23, 2000 (Pub. L. No. 106-346). 

• Health Insurance Portability and Accountability Act of 1996: last amended Mar. 23, 2010 
(Pub. L. No. 111-148). 

• Children’s Online Privacy Protection Act of 1998: has not been amended. 

• Gramm-Leach-Bliley Act of 1999: last a m ended July 21, 2010 (Pub. L. No. 111—203). 

Because these laws were enacted to protect the privacy of information involving 
specific sectors rather than to address specific technologies, some have been inter- 
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preted to apply to new technologies. For example, FTC has taken enforcement ac- 
tions under COPPA and revised the statute’s implementing regulations to account 
for smartphones and mobile applications. 

Online Tracking 

No Federal privacy law explicitly addresses the full range of practices to track or 
collect data from consumers’ online activity. Cookies — text files placed on a com- 
puter by the website that the computer user visits — allow website operators to recall 
information such as user name and address, credit card number, and purchases in 
a shopping cart. Resellers can match information in cookies and their databases to 
augment consumer profiles. Third parties also can synchronize their cookie files 
with resellers’ files. Advertisers can use third-party cookies — placed on a computer 
by a domain other than the site being visited — to track visits to the websites on 
which they advertise. Consumers’ ability to prevent such tracking can be restricted. 
For example, flash cookies — cookies which do not expire at the end of a browsing 
session — cannot be erased.^^ 

While current law does not explicitly address web tracking, FTC has taken en- 
forcement actions related to web tracking under its authority to enforce the prohibi- 
tion on unfair or deceptive acts. For example, in 2011, FTC settled charges with 
Google for $22.5 million after alleging that Google violated an earlier privacy settle- 
ment with FTC when it misrepresented to users of Apple’s Safari web browser that 
it would not track and serve targeted advertisements to Safari users. Google 
agreed to disable its advertising tracking cookies. 

Federal law also does not expressly prohibit “history sniffing,” which uses code on 
a webpage to record visitors’ browsing history. However, in 2012, FTC took an en- 
forcement action against Epic Marketplace, a large online advertising network, for 
deceptively failing to disclose its use of history-sniffing technology.^"* Epic Market- 
place used the data it collected to target advertising. 

Mobile Technologies 

In relation to collection and use of consumer data for marketing, no Federal pri- 
vacy laws that we identified specifically govern mobile applications and tech- 
nologies. 

Mobile applications. No Federal law specifically governs mobile applications — 
software downloaded onto mobile devices for uses such as providing information 
and online banking and shopping. Application developers, mobile carriers, ad- 
vertisers, and others may collect an individual’s information through services 
provided on a mobile device. However, FTC has taken enforcement action 
against companies for use of mobile applications that violate COPPA and 
FCRA.2® The agency also has taken action under the FTC Act.^'^ And CFAA, 
which bans unauthorized access to computers, has been found to apply to mo- 
bile phones.2® 


22 Shannon Canty, Chris Jay Hoofnagle, et at, “Flash Cookies and Privacy” (Aug. 10, 2009), 
available at http:! / papers.ssrn.com / sol3 1 papers.cfm?abstract id=1446862. 

22 United States v. Google Inc., No. CV 12-04177-SI, 2012 WL 5833994 (N.D. Cal. Nov. 16, 
2012 ). 

24 FTC alleged that Epic Marketplace’s use of history-sniffing was deceptive because it col- 
lected data about sites outside of its network that consumers had visited, contrary to Epic’s pri- 
vacy policy, which represented that it would collect information only about consumers’ visits to 
websites in its network. In the Matter of Epic Marketplace, Inc., and Epic Media Group, LLC, 
FTC File No. 112 3182, decision and order (Mar. 13, 2013). 

2 ® On July 25, 2013, Commerce released a draft of a voluntary code of conduct for mobile ap- 
plications, including guidelines for notices to consumers about collection and sharing of informa- 
tion with third parties. See Department of Commerce, National Telecommunications and Infor- 
mation Administration, Short Form Notice Code of Conduct to Promote Transparency in Mobile 
App Practices, redline draft (July 25, 2013), available at http:/ lwww.ntia.doc.gov/files/ntia/ 
publications / July 25 code drcift.pdf. 

26 FTC settled charges that a social networking service deceived consumers when it collected 
information from children under 13 through its mobile application in violation of COPPA. See 
United States v. Path, Inc., No. C13— 0448 (N.D. Cal. Jan. 31, 2013). FTC also settled charges 
that a company compiled and sold criminal record reports through its mobile application and 
operated as a consumer reporting agency in violation of FCRA. See In the Matter of Filiquarian 
Publishing, LLC, FTC File No. 112 3195 (Apr. 30, 2013). 

22 For example, in addition to the alleged COPPA violation. Path allegedly deceived users by 
collecting personal information from their mobile address books without their knowledge and 
consent. See United States v. Path, Inc., No. C13— 0448 (N.D. Cal. Jan. 31, 2013). 

28 In 2011, the U.S. Court of Appeals for the Eighth Circuit held that a basic cellular tele- 
phone — used only to place calls and send text messages — was a computer for CFAA purposes. 



63 


Location tracking. No Federal privacy laws, except COPPA, expressly address 
location data, location-based technology, and consumer privacy. We and others 
have reported that the capability of mobile devices to provide consumer’s loca- 
tion engenders privacy risks, particularly if companies use or share location 
data without consumers’ knowledge.^® ECPA might not apply if location data 
were not deemed content and would not govern entities such as developers of 
location-hased applications that are not covered by ECPA. But FTC could pur- 
sue enforcement action if a company’s collection or use of the information vio- 
lated COPPA. 

Mobile payments. No Federal privacy laws expressly address mobile payments 
(for example, by smartphone). An FTC report noted that although mobile pay- 
ment can be an easy way for individuals to pay for goods and services, privacy 
concerns have arisen because of the number of companies in the mobile pay- 
ment marketplace and the large amount of detailed personal and purchase in- 
formation collected and consolidated.®® 

Stakeholders Diverge on Adequacy of Legal Framework and Need for Legislation 
Stakeholder views diverge on whether significant gaps in the legal framework for 
privacy exist, whether more legislation is needed, or whether self-regulation can suf- 
fice. The marketing and information reseller industries generally have argued that 
the current framework of sector-specific laws and regulations has not left significant 
gaps in consumer privacy protections. Privacy advocates and others stated that the 
current privacy scheme leaves significant gaps. Industry and privacy advocates also 
disagreed on the need for more legislation or regulation and the efficacy of self-regu- 
latory approaches to protect privacy. Industry representatives acknowledged the im- 
portance of consumer privacy protections, but argued that voluntary industry meas- 
ures and self-regulation mitigated the need for additional legislation. Some privacy 
advocates and others argued that voluntary compliance or self-regulation was not 
sufficient to uniformly protect consumer privacy rights. 

Views Differ on Approaches to Privacy Law and Consumer Interests 

Dehate also has focused on appropriate approaches for new privacy legislation or 
regulation. This dehate can be framed around three sets of issues: a comprehensive 
versus sector-specific approach to privacy legislation; how to address consumers’ in- 
terests in accessing, controlling, and correcting their data; and the potential impact 
of new regulation on consumers and commerce. 

Comprehensive versus Sector-Specific Approaches 
Ongoing debate centers on what kind of legislative approach — sectoral or com- 
prehensive — would best effect enhanced consumer privacy protections. Industry 
stakeholders have argued a comprehensive privacy law would amount to a one-size- 
fits-all approach and could be overly burdensome. Stakeholders also said that the 
current sector-specific system was flexible and well-suited to addressing any gaps. 
In contrast, some consumer and privacy groups and academic experts cited advan- 
tages to comprehensive privacy legislation such as filling gaps in existing privacy 
protections and providing comprehensive and consistent protections. Privacy advo- 
cates and some business representatives also argued that comprehensive legislation 
would benefit businesses internationally and help reduce compliance costs. 

While not recommending a comprehensive Federal privacy statute as such, in 
2010 Commerce’s Internet Policy Task Force recommended the adoption of a base- 
line commercial data privacy framework built on an expanded FIPPs. The 2012 
White House privacy framework called for enacting baseline legislation while pre- 
serving existing sector-specific laws. The Administration supported exempting com- 
panies from consumer data privacy legislation to the extent their activities were 
subject to existing data privacy laws. 


The judicial decision did not address more advanced devices such as smartphones in the CFAA 
context. See JJ.S. v. Kramer, 631 F.3d 900 (8th Cir. 2011). 

29 Risks included disclosure to third parties for unspecified uses, tracking of consumer behav- 
ior, and identity theft. See GAO, Mobile Device Location ID: Additional Federal Actions Could 
Help Protect Consumer Privacy, GAO-12-903 (Washington, D.C.: Sept. 11, 2012). A Federal 
Communications Commission report also noted privacy risks. See Federal Communications Com- 
mission, Location-Based Services: An Overview of Opportunities and Other Considerations 
(Washington, D.C.: May 2012). 

39 Federal Trade Commission, Paper, Plastic or Mobile? An FTC Workshop on Mobile Pay- 
ments (Washington, D.C.: March 2013). 
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Views on How to Address Consumers’ Interests in Use and Control of Their Data 

Other debate on privacy protections has focused on the third-party market for and 
usage of consumer data, whether or how consumers can access and control such 
usage or correct data, and how or if limits should apply to web tracking. 

Use of Consumer Data 

Consumer and privacy advocates have noted that consumers often were not aware 
of, and had not always consented to, personal information being repurposed for mar- 
keting and other uses. Changes in the marketplace for consumer data include a vast 
increase in recent years in the number and types of companies that collect and 
share such data with third parties. The Administration noted that consumers have 
a right to expect that companies will collect, use, and disclose their information in 
ways consistent with the context in which the information was provided.^^ FTC ar- 
ticulated a “context of the interaction” standard for determining when a practice re- 
quired consumer choice.®^ 

Representatives of information resellers, marketers, and other industries that use 
consumer data have argued that repurposing generally is not inappropriate or 
harmful. One reseller argued that personal information on unrestricted websites — 
such as blogs — becomes publicly available and can be used by a third party, without 
legal or ethical limitations on its use. 

Access and Correction 

Stakeholders’ views differed on the extent to which consumers should be able to 
access data held about them. FTC said that companies should provide reasonable 
access to consumer data they maintain, a position many privacy groups echoed. FTC 
called on information resellers that compile data for marketing purposes to explore 
creating a centralized website on which resellers would identify themselves, describe 
how they collect and use the data, and consumers’ access rights and choices. 

Debate also developed on consumers’ right to correct information held about them. 
Some privacy advocates and members of Congress have argued that consumers 
should have the right to correct inaccurate information. One advocate noted that 
data not covered by FCRA also can be used for fraud prevention and identity 
verification, and that inaccuracies in this context could harm a consumer. Another 
advocate noted that companies may base some individual product pricing on a con- 
sumer’s profile, so inaccurate data could affect the price offered. But FTC and the 
Direct Marketing Association said that special measures were not needed to ensure 
the accuracy of data maintained and used for marketing. The Administration ex- 
pressed a similar view in its privacy framework. Some resellers also said that be- 
cause they acquire information from many sources, giving consumers the oppor- 
tunity to correct information would not be effective unless consumers also could 
have information corrected at the sources from which it had been drawn. 

Web Tracking 

Some of the most publicized debate on privacy and new technologies has centered 
on consumers’ ability to control tracking of their web activity. Areas of disagreement 
include the effectiveness of voluntary initiatives that allow consumers to exert some 
control over tracking and the use of information collected during tracking. For ex- 
ample, the Digital Advertising Alliance developed an icon to let web page users 
know that their visit was being tracked and their actions used to infer their inter- 
ests and target future advertising. Users can click on the icon to learn more about 
behavioral advertising and control whether they receive such advertising and from 
which companies.^'* Some privacy advocates have pointed to limitations to this 
mechanism (for example, the opt-out option only applies to companies in the Digital 
Advertising Alliance). 

Debate also has developed about the implementation of “do not track.” Under this 
approach, consumers would be able to choose whether to allow the collection and 
use of data about their online searching and browsing. FTC supported the concept 


^^The White House, A Framework for Protecting Privacy (2012). 

Federal Trade Commission, Protecting Consumer Privacy in an Fra of Rapid Change, pp. 
38-39. 

Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, pp. 
38-39; and letter from Direct Marketing Association to members of Congress on August 13, 
2012, available at http://the-dma.org/news/August-13-2012-DMALetter.pdf. 

According to the Digital Advertising Alliance, in 2012 more than 5.2 million unique users 
accessed the resources at www.aboutads.info, and nearly 1 million exercised a choice using the 
site’s opt-out mechanism. 



65 


of a universal do-not-track mechanism in its 2010 and 2012 privacy reports.^® On 
the self-regulatory side, some Internet browsers, including Mozilla Firefox, have in- 
troduced do-not-track features. The World Wide Web Consortium has been devel- 
oping a universal web protocol for do not track.^® But disagreements on different 
issues (such as scope and technological specifications) have delayed widespread 
adoption or standardization of do not track.®'^ 

Proposals in Congress and elsewhere would require FTC to promulgate regula- 
tions for a do-not-track mechanism.®® Proponents of such proposals noted that the 
use of third-party cookies greatly increased in recent years — for example, the Wall 
Street Journal identified more than 3,000 tracking files the top 50 websites placed 
on a test computer.®® Advocacy organizations argued that Internet users may not 
be fully aware of the extent of third-party tracking and that users should affirma- 
tively consent to tracking. Some members of Congress raised concerns about flash 
cookies and whether the FTC Act’s prohibition of unfair or deceptive acts or prac- 
tices would cover them. Representatives of the advertising and other industries have 
cautioned against many of the proposals. 

Views on Potential Impaets of New Regulation on Consumers and Commerce 

Representatives of the marketing and reseller industries argued that regulatory 
restrictions on using consumer data could reduce the benefits consumers get. Adver- 
tising representatives noted that targeted marketing and advertising helps under- 
write applications and services available free to consumers. Some resellers said that 
targeted behavioral advertising gives consumers information relevant to their spe- 
cific interests, needs, or preferences. However, some privacy advocates believe that 
consumer benefits have been overstated. Some advocates also raised concerns that 
the profiling and scoring techniques used to deliver specific advertisements to spe- 
cific consumers might have discriminatory effects because they present information, 
sales, or opportunities only to consumers with certain characteristics. 

Stakeholder views also diverged on the potential economic effects of strengthened 
privacy regulations. Industry representatives said that new restrictions on the use 
of consumer information could inhibit innovation and increase compliance costs for 
businesses. Privacy and consumer groups said that the industry’s claims that in- 
creased privacy protections would be too burdensome and stifle innovation have not 
been accompanied by convincing evidence. And in public comments solicited by Com- 
merce in 2010 on information privacy and innovation in the Internet economy, on- 
line businesses and advertisers noted the importance of respecting customers’ pri- 
vacy if they wanted to retain their business or encourage individuals to adopt new 
devices and services.^® 

Views vary on the economic effects of greater harmonization of U.S. and foreign 
privacy rules. Commerce’s Internet Policy Task Force noted that a significant num- 
ber of comments they received concerned difficulties and costs in compl 3 ring with for- 
eign data protection rules and regulations. For example, the European Union’s 1995 
Data Protection Directive states that personal information of European Union citi- 
zens may not be transmitted to nations not deemed to have “adequate” data protec- 
tion laws."*! The United States does not have an adequacy finding from the Euro- 
pean Commission.'^® 


®®Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change (2012) 
and Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Busi- 
nesses and Policymakers; preliminary staff report (Washington, D.C.: December 2010). 

®®In the World Wide Web Consortium, member organizations and the public work together 
to develop web protocols and standards. The consortium’s Tracking Protection Working Group 
proposes recommendations and technologies to improve user privacy and control. See http:// 
w3.org/2011/tracking-protection/. 

Senate Committee on Commerce, Science, and Transportation, A Status Update on the De- 
velopment of Voluntary Do-Not-Track Standards, 113th Cong., 1st sess., April 24, 2013; see testi- 
mony of Justin Brookman, Director, Consumer Privacy, Center for Democracy and Technology. 

®®For example, see Do-Not-Track Online Act of 2013, S. 418, 113th Cong. 

Julia Angwin, “The Web’s New Gold Mine: Your Secrets,” Wall Street Journal, July 30, 
2010 . 

Department of Commerce, Notice of Inquiry, Information Privacy and Innovation in the 
Internet Economy (Privacy and Innovation NOI), 75 Fed. Reg. 21226, Apr. 23, 2010, available 
at http: I ! ntia.doc.gov ffrnotices (2010 /FR PrivacyNOI 0423201 0.pdf. 

European Union, Directive 95 ! 46 ! EC of the European Parliament and of the Council on the 
Protection of Individuals with Regard to the Processing of Personal Data and the Free Movement 
of Such Data (Oct. 24, 1995). 

However, companies participating in the U.S.-EU Safe Harbor Framework are deemed to 
provide adequate data protections and may transfer personal data from the European Union. 

Continued 
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The task force recommended the U.S. government work toward mutual recogni- 
tion of other commercial data privacy frameworks.''^ Many commenters also advo- 
cated for greater harmonization of privacy rules. In contrast, some industry observ- 
ers warned against enacting a stricter privacy regime like the European Union’s. 
A reseller representative said moving to a stricter regime would hinder commerce 
and innovation. 

New technologies have enormously changed the amount of personal information 
private companies collect and how they use it. But our current privacy framework 
does not fully address these changes. Laws protecting privacy interests are tailored 
to specific sectors and uses. And, consumers have little control over how their infor- 
mation is collected, used, and shared with third parties for marketing purposes. As 
a result, current privacy law is not always aligned with the Fair Information Prac- 
tice Principles, which Commerce and others have said should serve as the founda- 
tion for commercial data privacy. Thus, the privacy framework warrants reconsider- 
ation in relation to consumer interests, new technologies, and other issues. In our 
September report, we suggested that Congress consider strengthening it and review 
issues such as the adequacy of consumers’ ability to access, correct, and control their 
personal information; and privacy controls related to new technologies. The chal- 
lenge will be providing appropriate protections without unduly inhibiting the bene- 
fits to consumers, commerce, and innovation that data sharing can accord. 

This concludes my statement for the record. 

Senator Thune. I will be asking our witnesses how data broker 
practices for marketing purposes may impact consumers, both posi- 
tively and negatively. I am also interested in hearing from our wit- 
nesses how the industry can work to balance the privacy concerns 
of individuals with the information needs of businesses and our 
economy. 

Finally, Mr. Chairman, while I have expressed my thanks to all 
of our witnesses being here today, I do want to add a special note 
of thanks to Tony Hadley from Experian. This inquiry began with 
letters sent to nine companies, and over time it has also included 
letters to several consumer-facing websites. Having only one of 
those companies testify is a good way to keep the number of wit- 
ness manageable in light of the busy Senate schedule. 

Mr. Hadley, I am sure that many of the other companies are also 
grateful for your willingness to testify and help advance our under- 
standing — 

[Laughter.] 

Senator Thune. — of the data broker industry. I know I certainly 
am. 

So I want to thank you again, Mr. Chairman, for having this 
hearing, and I do look forward to hearing from our witnesses. 

The Chairman. Thank you. Senator Thune, very much. 

We have — well, I will just do one by one — Jessica Rich. Ms. Rich 
is the Director of the Bureau of Consumer Protection at the Fed- 
eral Trade Commission. And I will go down the line. 

Could you give your testimony, please? 

STATEMENT OF JESSICA RICH, DIRECTOR, BUREAU OF 
CONSUMER PROTECTION, FEDERAL TRADE COMMISSION 

Ms. Rich. Chairman Rockefeller, Ranking Member Thune, and 
members of the Committee 

The Chairman. You have to push a little button. 


FTC has the authority to enforce the substantive privacy requirements of the U.S.-EU Safe Har- 
bor Framework. 

43 Department of Commerce, Internet Policy Task Force, Commercial Data Privacy and Inno- 
vation in the Internet Economy: A Dynamic Policy Framework (Washington, D.C.: 2010). 
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Ms. Rich. That would be a good start. 

The Chairman. It is called “technology.” 

Ms. Rich. Yes. 

[Laughter.] 

Ms. Rich. I assure you I know something about technology. 

I am Jessica Rich, director of the Bureau of Consumer Protection 
at the Federal Trade Commission. And I really appreciate this op- 
portunity to present the Commission’s testimony on data brokers. 

This is a highly opportune time to examine the practices of data 
brokers, as technological developments have allowed for the dra- 
matic increase in the collection and use of consumers’ information. 

Data brokers collect consumers’ personal information from a wide 
variety of sources and resell it for a variety of purposes without 
most consumers ever knowing of their existence, much less the va- 
riety of practices in which they engage. And many of these prac- 
tices, as you noted, fall outside of the scope of existing laws. 

I know this committee is well aware of the lack of transparency 
of data broker practices. Chairman Rockefeller, we commend you 
for your leadership on this issue and stand ready to work with the 
Committee and with Congress on ways to improve the trans- 
parency of data broker practices. The report you released today is 
a key initiative in this effort, as is the study you requested from 
GAO. 

At the FTC, our work on data broker practices goes back to the 
1970s. For decades, policymakers have expressed concerns about 
the transparency of companies that buy and sell consumer data. In- 
deed, the existence of companies selling consumer data for credit 
and other eligibility determinations, invisibly and behind the 
scenes, led to the enactment in 1970 of the Fair Credit Reporting 
Act. 

Since then, the Commission has been active in examining the 
practices of data brokers. We have used three primary tools in this 
effort. 

First, we bring enforcement actions when company practices vio- 
late the law. Perhaps our most well-known data broker case in- 
volved ChoicePoint, in which we obtained $10 million in civil pen- 
alties and $5 million in redress for consumers. We alleged that 
ChoicePoint implemented lax privacy and security procedures, re- 
sulting in sensitive consumer report information ending up in the 
hands of known identity thieves. 

More recently, we entered into a consent decree with online data 
broker Spokeo. According to our complaint, Spokeo collected per- 
sonal information from hundreds of online and offline sources, in- 
cluding social networks, and combined that data into detailed per- 
sonal profiles. We allege that Spokeo marketed these profiles for 
use by human resource departments in hiring, which made it a 
consumer reporting agency subject to the Fair Credit Reporting 
Act, but that it failed to abide by the FCRA’s accuracy and privacy 
requirements. The order contains strong injunctive relief and an 
$800,000 civil penalty. 

Second, the Commission conducts research and issues reports ad- 
dressing data broker issues. For example, our 2012 privacy report 
made best practices and legislative recommendations for consumer 
privacy, including specific recommendations regarding data bro- 
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kers. Among other things, the report reiterated a longstanding 
Commission recommendation that data brokers provide consumers 
with access to the data they maintain and, depending on how the 
data is used, the ability to correct it. 

More recently, in order to shine a light on the industry, we 
issued orders requiring nine data brokers to provide us with infor- 
mation regarding how they collect and use consumer data. The 
Commission is close to completing a report based on this informa- 
tion and expects to release it in the coming months. 

And in the spring of next year, we plan to host a series of privacy 
workshops, including a seminar on what is called “alternative scor- 
ing products” offered by data brokers — that is, products that com- 
panies use to predict consumer behavior and shape how they mar- 
ket to particular consumers. 

Our final tool is educating businesses and consumers on privacy 
issues in the practices of data brokers. For example, we recently 
sent letters to multiple data brokers that provide tenant and back- 
ground screening services, warning them about their duty to com- 
ply with the Fair Credit Reporting Act. And for consumers, we re- 
cently produced a video on data brokers and have published fre- 
quent blog posts and updates on issues related to the data broker 
industry. 

In closing, as the collection and use of consumer data continues 
to explode, we share the Committee’s commitment to continue to 
examine data brokers, and we stand ready to work with the Com- 
mittee on this critical issue. 

Thank you. 

[The prepared statement of Ms. Rich follows:] 

Prepared Statement of the Federal Trade Commission 

I. Introduction 

Chairman Rockefeller, Ranking Member Thune, and members of the Committee, 
I am Jessica Rich, Director of the Bureau of Consumer Protection of the Federal 
Trade Commission (“FTC” or “Commission”). ^ I appreciate the opportunity to 
present the Commission’s testimony on data brokers. 

Data brokers collect and aggregate consumers’ personal information from a wide 
range of sources and resell it for an array of purposes, such as marketing, verif3dng 
an individual’s identity, and preventing financial fraud. Because data brokers gen- 
erally never interact directly with consumers, consumers are typically unaware of 
their existence, much less the variety of ways they collect, analyze, and sell con- 
sumer data. 

This Committee, by investigating the privacy practices of data brokers, has helped 
call attention to the lack of transparency surrounding data broker privacy practices. 
We look forward to reviewing the Committee’s report on its examination of the data 
broker industry. We commend Chairman Rockefeller’s leadership on this issue and 
stand ready to work with this Committee and Congress on ways to improve the 
transparency of data broker practices. As the Committee is aware, the Commission 
is developing its own report on the data broker industry (discussed further below), 
which the Commission expects to release in the coming months. 

This testimony begins by describing the Commission’s longstanding work in this 
area. It then lays out our strategy for addressing the privacy practices of the data 
broker industry through enforcement, research and reports, and business and con- 
sumer education. 


^This written statement presents the views of the Federal Trade Commission. My oral state- 
ments and responses to questions are my own and do not necessarily reflect the views of the 
Commission or any Commissioner. 
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II. Background on FTC Initiatives Concerning Data Broker Privacy 
Practices 

Concerns about the privacy practices of companies that buy and sell consumer 
data are not new. Indeed, in 1970, the existence of companies selling consumer data 
with little transparency for credit and other eligibility determinations led Congress 
to enact the Fair Credit Reporting Act (FCRA)^, which it gave the Commission au- 
thority to enforce. 

In the late 1990s, the Commission began to examine the privacy practices of data 
brokers that fall outside the FCRA.® Notably, in 1997, the Commission held a work- 
shop to examine database services used to locate, identify, or verify the identity of 
individuals, referred to at the time as “individual reference services.” The workshop 
prompted industry members to form the self-regulatory Individual Reference Serv- 
ices Group (IRSG).'‘ The Commission subsequently issued a report on the workshop 
and the IRSG. The report commended the process made by the industry’s self-regu- 
latory programs, but one of the report’s conclusions was that the industry’s efforts 
did not adequately address the lack of transparency of data broker practices. Al- 
though industry ultimately terminated the IRSG, a series of public breaches — in- 
cluding one involving ChoicePoint — led to renewed scrutiny of the practices of data 
brokers.® 

Most recently, in its 2012 report Protecting Consumer Privacy in an Era of Rapid 
Change: Recommendations for Businesses and Consumers (Privacy Report),® the 
Commission specifically addressed the privacy practices of data brokers. The Com- 
mission described three different categories of data brokers: (1) entities subject to 
the FCRA; (2) entities that maintain data for marketing purposes; and (3) non- 
FCRA covered entities that maintain data for non-marketing purposes that fall out- 
side of the FCRA, such as to detect fraud or locate people.'^ The report noted that, 
while the FCRA gives consumers a variety of rights with regard to companies that 
sell data for credit, employment, and insurance purposes, data brokers within the 
other two categories operate without much transparency. 

Building on the agency’s prior work, the Commission’s Privacy Report made rec- 
ommendations to improve the transparency of the practices of data brokers and to 
give consumers greater control over how their information is used. Among other 
things, the Report proposed that data brokers provide consumers with reasonable 
access to the data they maintain. The Report also noted that the Commission had 
long supported legislation that would give access rights to consumers for informa- 
tion held by data brokers.® The Report stated that the Commission continues to sup- 
port legislation in this area to improve the transparency of industry practices.® 

III. The Commission’s Ongoing Initiatives Regarding Data Brokers 

The Commission’s ongoing initiatives to address the privacy practices of the data 
broker industry build on this body of prior work. The Commission is pursuing a 
three-pronged strategy to ensure consumer interests are protected in the data 
broker context. First, the Commission takes aggressive enforcement action to ensure 
that data brokers comply with the FCRA where it applies. Second, as data broker 
business models expand beyond traditional credit reporting, the FTC continues to 


2 15 U.S.C. § 1681 et seq. 

2 See, e.g., FTC Workshop, The Information Marketplace: Merging & Exchanging Consumer 
Data (Mar. 13, 2001), available at http: I / www.ftc.gov I bcp I workshops I infomktplace I index 
.shtml; Prepared Statement of the FTC, Identity Theft: Recent Developments Involving the Secu- 
rity of Sensitive Consumer Information: Hearing Before the S. Comm, on Banking, Housing, and 
Urban Affairs, 109th Cong. (Mar. 10, 2005), available at http:! Iwww.ftc.gov ! public-statements I 
2005 / 03 1 prepared-statement-federaTtrade-commission-identity-theft-recent; see also FTC Work- 
shop, Information Flows: The Costs and Benefits to Consumers and Businesses of the Collection 
and Use of Consumer Information (June 18, 2003), available at http: / / www.ftc.gov I news-events i 
events-calendar / 2003 / 06 / information-flows-costs-and-benefits-related-collection-and-use. 

"^See FTC, Individual Reference Services, A Report to Congress (1997), available at http:! / 
www.ftc.gov / reports ! individual-reference-services-report-congress. 

®This scrutiny included an FTC investigation that resulted in the FTC’s largest FCRA civil 
penalty to date. See United States v. ChoicePoint, Inc., No. 1:06— cv— 00198 (N.D. Ga. Feb. 15, 
2006) (stipulated final order imposing $10 million line and $5 million in consumer redress), 
available at http:! I www.ftc.gov ! sites ! default ! files I documents I cases ! 2006 j 01 ! stipfinaljudge 
ment.pdf. 

®FTC, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Busi- 
nesses and Policymakers (Mar. 2012), available at http:/ 1 ftc.gov I os/ 2012 1031 120326privacy 
report.pdf. Commissioner Wright’s term as Commissioner began in January 2013 and he was 
not at the Commission when the Privacy Report was issued. While he may not necessarily en- 
dorse all the views in that Report, he agrees with the substance of this testimony. 

Md. at 65. 

Old. at 69. 
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conduct research and issue reports examining the practices of the data broker indus- 
try. Third, the Commission educates businesses about their legal responsibilities, es- 
pecially small data brokers that may be unaware of their legal obligations, and con- 
sumers regarding how their data is disseminated. These three initiatives are dis- 
cussed below. 

A. Enforcement 

The Commission maintains an aggressive FCRA enforcement program. To date, 
it has brought almost 100 cases and obtained in excess of $30 million in civil pen- 
alties. FCRA enforcement is a vital priority for the agency, particularly as compa- 
nies that are not traditional credit reporting agencies venture into territory covered 
by the FCRA.io 

For example, last year the Commission entered into a consent decree with online 
data broker Spokeo to resolve allegations that the company violated the FCRA.^i 
As set forth in the Commission’s complaint, Spokeo assembled personal information 
from hundreds of online and offline data sources, including social networks, and 
merged that data to create detailed personal profiles, including name, address, age 
range, hobbies, ethnicity, and religion. Spokeo marketed these profiles for use by 
human resources departments in hiring decisions. The FTC alleged that Spokeo, 
which marketed profiles for employment purposes, was a consumer reporting agency 
subject to the FCRA. The Commission charged Spokeo with violating the FCRA by, 
among other things, failing to (1) take reasonable steps to ensure the accuracy of 
information; and (2) tell its clients about their obligations under the FCRA, includ- 
ing the requirement to send adverse action notices to people denied employment on 
the basis of information obtained from Spokeo. The order contained strong injunc- 
tive relief and an $800,000 civil penalty. 

The Commission also recently took action against a mobile application developer 
that compiled and sold criminal record reports without complying with the FCRA.^^ 
The app developer, Filiquarian, claimed that consumers could use its mobile apps 
to access hundreds of thousands of criminal records and conduct searches on poten- 
tial employees. The FTC charged that Filiquarian failed to take reasonable steps to 
ensure that the information it sold was accurate and would be used solely for per- 
missible purposes, as required by the FCRA. In addition, Filiquarian failed to in- 
form users of its reports of their obligations under the FCRA, including the require- 
ment to notify consumers if an adverse action was taken against them based on a 
report. In both the Spokeo and Filiquarian cases, the companies’ terms of service 
included disclaimers stating that the information they provided should not be used 
for FCRA purposes. Despite these disclaimers, the companies specifically advertised 
that their reports could be used for employment purposes. 

Most recently, the Commission entered into a consent decree with Certegy Check 
Services, one of the Nation’s largest check authorization service companies. 
Certegy compiles consumers’ personal information and uses it to help retail mer- 
chants determine whether to accept consumers’ checks. The Commission’s complaint 
alleged that, among other things, when a merchant denied a consumer’s check, and 
the consumer contacted Certegy to dispute the denial, the company failed to follow 
proper dispute procedures, as required by the FCRA. As a result, Certegy’s denials 
may have been in error, and consumers may not have been able to pay for essential 


The FCRA provides basic consumer protections when consumer reporting data is used to 
make eligibility determinations for credit, insurance, employment and similar purposes. 

11 United States v. Spokeo, Inc., No. CV12-05001 fC.D. Cal. June 12, 2012), available at 
http: I j www.ftc.gov I enforcement ! cases-and-proceedings / cases 12012 106/ spokeo-inc-united-states- 
america-federal-trade; see also Press Release, FTC, Spokeo to Pay $800,000 to Settle FTC 
Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation of 
FCRA (June 12, 2012), available at http: I lwww.ftc.gov I news-events ! press-releases 12012 ! 06! 
spokeo-pay-800000-settle-ftc-charges-company-allegedly-marketed. 

i^Decision and Order, Filiquarian Publishing, LLC, FTC File No. 112—3195 (May 1, 2013), 
available at http:! / www.ftc.gov / enforcement / cases-and-proceedings / cases / 2013 / 05 / filiquarian- 
puhlishing-llc-choice-level-llc-and; see also Press Release, FTC, FTC Approves Final Order Set- 
tling Charges Against Marketers of Criminal Background Screening Reports (May 1, 2013), 
available at http:! / www.ftc.gov I news-events / press-releases 1 2013 1 05 1 ftc-approves-finaTorder- 
settling-charges-against-marketers. 

lOf/.S. V. Certegy Check Servs., Inc., No. 1:13— cv-01247 (D.D.C. Aug. 15, 2013), available at 
http: ! i www.ftc.gov I enforcement / cases-and-proceedings ! cases 12013 1081 certegy -check-services- 
inc; ; see also Press Release, FTC, Certegy Check Services to Pay $3.5 Million for Alleged Viola- 
tions of the Fair Credit Reporting Act and Furnisher Rule (Aug. 15, 2013), available at http:! / 
www.ftc.gov I news-events / press-releases ! 2013 / 08 / certegy-check-services-pay-35-million-alleged- 
violations-fair. 
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goods and services. Certegy agreed to pay $3.5 million, the agency’s second largest 
FCRA fine, to resolve the Commission’s allegations. 

B. Research and Reports 

The Commission is devoting significant resources to research and reports address- 
ing the privacy practices of data brokers. As described above, the Commission’s Pri- 
vacy Report discussed the data broker industry specifically and recommended steps 
data brokers should take to improve the transparency of data broker practices and 
give consumers greater control over their information. 

To undertake a more detailed examination of the data broker industry, the Com- 
mission issued orders requiring nine data brokers to provide the agency with infor- 
mation regarding how they collect and use consumer data. The orders, issued pursu- 
ant to the Commission’s authority under Section 6(b) of the FTC Act, mandated pro- 
duction of detailed information regarding company practices, including the nature 
and sources of consumer data the companies collect, how they use, maintain, and 
disseminate the information, and the extent to which the data brokers allow con- 
sumers to access and correct their information or to opt out of having their personal 
information sold. These orders were directed to companies providing three basic 
non-FCRA services — marketing services, risk mitigation services, including identity 
verification and fraud detection, and people search or look-up services. The Commis- 
sion is expects to release a report on this examination of the data broker industry 
in the coming months. 

We also continue to examine emerging practices in the data broker industry. Just 
this month, we announced a series of seminars for early 2014 that will address a 
number of consumer privacy issues, including alternative scoring products offered 
by data brokers. Many data brokers offer companies scores to predict trends and the 
behavior of their customers. Companies are using predictive scores for a variety of 
purposes, ranging from identity verification and fraud prevention to marketing and 
advertising. Consumers are largely unaware of these scores and have little to no ac- 
cess to the underlying data from which they are derived. The program will explore 
a number of issues, including what scores are currently available, how companies 
are using them, how accurate the scores and underlying data are, privacy concerns 
surrounding the use of predictive scoring, how consumers can benefit from use of 
these scores, and what sort of consumer protections should exist for them.^® 

C. Education 

In addition to its enforcement and policy work on data broker issues, the agency 
also focuses on educating businesses and consumers about these issues. An impor- 
tant method for educating businesses is to publicize Commission complaints and or- 
ders and issue public letters warning companies of legal requirements and/or poten- 
tial violations. In this vein, the Commission sent staff warning letters to a number 
of data brokers that provided tenant-screening services, and to marketers of six mo- 
bile apps that provide employment background screening services. The FTC 
warned the companies and app developers that, if they have reason to believe the 
reports they provide are being used for employment screening, housing, credit, or 
other similar purposes, they must comply with the FCRA.i'^ 

More recently, Commission staff conducted an undercover effort to determine if 
data brokers that disclaimed FCRA liability were willing to sell information for 
credit, insurance, employment, or housing decisions. As a result of this “test shop- 
ping” operation, Commission staff found ten data brokers who appeared to offer data 
for these purposes. Commission staff then sent warning letters to these companies, 
advising them that their practices could violate the FCRA. 


Protecting Consumer Privacy in an Era of Rapid Change, supra note 6, at 68—70. 

Impress Release, FTC, Spring Privacy Series: Alternative Scoring Products (Mar. 19, 2014), 
available at httpij I www.ftc.gov I news-events I events-calendar 1 2014 1 03 1 spring-privacy-series-al- 
ternative-scoring-products. 

Impress Release, FTC, FTC Warns Data Brokers That Provide Tenant Rental Histories They 
May Be Subject to Fair Credit Reporting Act (Apr. 3, 2013), available at http: j lwww.ftc.gov ! 
opa 12013 1 04 j tenant. shtm; Press Release, FTC, FTC Warns Marketers that Mobile Apps May 
Violate Fair Credit Reporting Act (Feb. 7, 2012), available at http: I ! www.ftc.gov I opa 12012 j 02 j 
mobileapps.shtm. 

I'^The Commission made no determination as to whether the companies were violating the 
FCRA, but encouraged them to review their apps and their policies and procedures to ensure 
they comply with the Act. 

Impress Release, FTC, FTC Warns Data Broker Operations of Possible Privacy Violations 
(May 7, 2013), available at http: // www.ftc.gov I opa / 2013 / 05 1 databroker.shtm. 
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The FTC also hosts a Business Center hlog,'^® which frequently includes consumer 
privacy and data security topics; currently, approximately 3,500 attorneys and busi- 
ness executives subscribe to these e-mail blog updates. The Business Center blog 
consistently features the Commission’s enforcement actions and warning letters. 

Finally, the FTC has developed materials designed to educate consumers about 
the ways in which their data may be disseminated to companies with which they 
do not interact. For example, the FTC produced a video called Sharing Information: 
A Day in Your Life, that describes how everyday activities by consumers — shopping 
in retail stores with loyalty cards, bu 3 dng good online, and using social networking 
services — can lead to wide dissemination of personal information.2° 

TV. Conclusion 

These enforcement, policy, and education efforts demonstrate the Commission’s 
continued commitment to understanding and addressing consumer privacy issues 
posed by the data broker industry. We appreciate the leadership of Chairman 
Rockefeller and this Committee on these issues and look forward to continuing to 
work with Congress, industry, and other critical stakeholders on these issues in the 
future. 

The Chairman. Thank you very much, Ms. Rich. 

Pam Dixon. Ms. Dixon is the Executive Director at the World 
Privacy Forum. 

You are on. 

STATEMENT OF PAM DIXON, EXECUTIVE DIRECTOR, 
WORLD PRIVACY FORUM 

Ms. Dixon. Chairman Rockefeller, members of the Committee, 
thank you for the opportunity to share what I have learned about 
the data broker industry today. I appreciate it very much. 

As a moderate in the privacy debate and in the privacy world, 
I have come to a troubling conclusion: The data broker industry, 
as it is today, does not have constraints and does not have shame. 
It will sell any information about any person, regardless of sensi- 
tivity, for 7.9 cents a name, which is the price of a list of rape suf- 
ferers which was recently sold. 

Lists of rape sufferers, victims of domestic violence, police offi- 
cers’ home addresses, people who suffer from genetic illnesses, com- 
plete with names, home addresses, ethnicity, gender, and many 
other factors — this is what is being sold and circulated today. It is 
a far cry from visiting a website and seeing an ad. What it is is 
the sale of the personally identifiable information and highly sen- 
sitive information of Americans. 

So, Senators, I would like to make three points. 

First, scoring. There are now pseudo scores which are comprised 
of factors that are non-financial or, I should say, non-credit-report- 
based. These pseudo credit scores are used in lieu of actual credit 
scores because they completely circumvent the Fair Credit Report- 
ing Act. So a business or an employer or an insurer can purchase 
these scores and use them with no ill consequence or any con- 
sequence at all. This needs to change. 

Second, health. There are lists of millions of people that are cat- 
egorized by the diseases that they have, ranging from cancer to 
bedwetting, Alzheimer’s — terrible diseases, some of them benign, 
some of them relating to mental illness. There are lists of millions 


See generally http: / / business.ftc.gov / blog. 

20 FTC, Sharing Information: A Day in Your Life, available at http: I lwww.consumer.ftc.gov I 
media / video-0022-sharing-information-day-your-life. 
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of people and what prescription drugs they take. And these lists 
exist entirely outside of HIPAA. 

The Chairman. Outside of what? 

Ms. Dixon. HIPAA. 

The Chairman. OK. 

Ms. Dixon. The 

The Chairman. I understand. 

Ms. Dixon. Any kind of Federal — yes — health protection. Unless 
the data is held by a provider or, you know, a covered entity under 
HIPAA, forget it, HIPAA doesn’t apply. 

This industry that is selling these lists — there has been a lot of 
mention made of marketing purposes for these lists. These lists are 
being sold without constraint. We don’t know if employers are buy- 
ing them, if insurers are buying them. We don’t know who is buy- 
ing them. But the lists are being sold for apparently billions of dol- 
lars, which suggests to me that we need to find out who is buying 
these lists. 

In terms of solutions, my third and final point, we need to ex- 
pand the Fair Credit Reporting Act so that when there are con- 
sumer scores that are pseudo credit scores that this is brought 
under the Fair Credit Reporting Act so that consumers can exercise 
the same rights they would have if a credit score had been pulled. 
If the information is statistically as accurate and has the same ef- 
fect as a credit score, then why isn’t it regulated under the Fair 
Credit Reporting Act? This should be a bright line here, and I don’t 
think that that is too terribly difficult to draw. 

There needs to be, and actually there is an urgent need for, a na- 
tional data broker requirement for an opt-out. We favor an opt-out 
that is highly granular so that consumers don’t always have to take 
the nuclear option and get entirely off of every list. We favor con- 
sumers having the ability to make their own choices. Maybe a con- 
sumer wants her name and phone number on a list but nothing 
else, certainly nothing about her weight, certainly nothing about 
the number of children she has, or maybe she does, but the point 
is consumers need to know when they are on a list and need to 
make choices about what appears on those lists. 

We need to reexamine HIPAA and decide if health information 
that is not held by healthcare providers deservers healthcare pro- 
tections in privacy. I believe they do. 

This is going to be the beginning of an important public dialog 
that is going to be incredibly important for all of us to engage in. 
Because if we have an industry that has not curtailed the sale of 
names of anyone with highly sensitive information for 7.9 cents a 
name, then we haven’t done enough. 

Thank you for this opportunity, and I look forward to your ques- 
tions. 

[The prepared statement of Ms. Dixon follows:] 

Prepared Statement of Pam Dkon, Executive Director, 

World Privacy Forum 

Chairman Rockefeller and Members of the Committee, thank you for the oppor- 
tunity to testify today about data brokers, an industry that is often hidden from 
public view, and the impact of data brokers on consumers’ lives. My name is Pam 
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Dixon, and I am the founder and Executive Director of the World Privacy Forum.i 
The World Privacy Forum is a 501(c)(3) non-partisan public interest research group 
based in California. We focus on conducting in-depth research on emerging and con- 
temporary privacy issues as well as on consumer education. 

I have been conducting privacy-related research for more than since 1998, first 
as a Research Fellow at the Denver University School of Law’s Privacy Foundation 
where I researched privacy in the workplace and employment environment, as well 
as technology-related privacy issues such as online privacy. While a Fellow, I wrote 
the first longitudinal research study benchmarking data flows in employment online 
and offline, and how those flows impacted consumers. 

After founding the World Privacy Forum, I wrote numerous privacy studies and 
commented on numerous regulatory proposals impacting privacy as well as creating 
useful, practical education materials for consumers on a variety of privacy topics. 
A few months ago, we published a report on data brokers and the Federal Govern- 
ment, Data Brokers and the Government, which examined current law and practices 
in regards to the eligibility use of data brokers in particular. I have published many 
additional studies. Previously, in 2005 I discovered previously undocumented con- 
sumer harms related to identity theft in the medical sector. I coined a termed for 
this activity: medical identity theft. In 2006 I published a groundbreaking report in- 
troducing and documenting the topic of medical identity theft, and the report re- 
mains the definitive work in the area.i In 2010 I also published the first report on 
digital and retail privacy. The One Way Mirror Society: Privacy Implications of Dig- 
ital Signage Networks. I have also written several well-known reports on self-regu- 
lation, and in 2012-2013, was a lead drafter in the NTIA MultiStakeholder Process 
for Mobile App Short Form Notices. 

Beyond my research work, I have published widely, including a reference book on 
privacy. Online Privacy, and seven books on technology issues with Random House, 
Peterson’s and other large publishers, as well as more than one hundred articles in 
newspapers, journals, and magazines. 

I appreciate the dedication and work of Senator Rockefeller in bringing much- 
needed attention to the issue of data brokers, which prior to his attention, was lan- 
guishing on legislative backburners. 

Introduction & Summary 

What do a retired librarian in Wisconsin in the early stages of Alzheimer’s, a po- 
lice officer, and a mother in Texas have in common? The answer is that all were 
victims of consumer data brokers. Data brokers collect, compile, buy and sell person- 
ally identifiable information about who we are, what we do, and much of our “digital 
exhaust.” 

We are their business models. The police officer was “uncovered” by a data broker 
who revealed his family information online, jeopardizing his safety. The mother was 
a victim of domestic violence who was deeply concerned about people finder websites 
that published and sold her home address online. The librarian lost her life savings 
and retirement because a data broker put her on an eager elderly buyer and fre- 
quent donor list. She was deluged with predatory offers. 

These people — and 320 million others in the United States — are not able to escape 
from the activities of data brokers. Our research shows that only a small percentage 
of known consumer data brokers offer a voluntary opt out. These opt outs can be 
incomplete, extremely difficult, and must typically be done one-by-one, site-by-site. 
Often, third parties are not allowed to opt individual consumers out of data brokers. 

This state of affairs exists because no legal framework requires data broker to 
offer opt out or suppression of consumer data. Few people know that data brokers 
exist, and beyond that, few know what they do. There are about 4,000 data brokers. 
Despite the large and growing size of the industry, until this Committee started its 
work, this entire industry largely escaped public scrutiny. 

Privacy laws apply to credit bureaus and health care providers, but data broker 
activity generally falls outside these laws. Even a knowledgeable consumer lacks the 
tools to exercise any control over his or her data held by a data broker. It doesn’t 
matter that the data is about the consumer. The data broker has all the rights, and 
the consumer has none. 

Consumers have no effective rights because there is no legal framework that re- 
quires data brokers to offer consumers an opt out or any other rights. Privacy laws 
apply to credit bureaus and health care providers, but data broker activity generally 
falls outside these laws. Even a knowledgeable consumer lacks the tools to exercise 
any control over his or her data held by a data broker. It doesn’t matter that the 


iPor more information and to read many of the research studies and publications, see http:! ! 
www.ivorldprivacyforum.org. 
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data is about the consumer. The data broker has all the rights, and the consumer 
has none. 

In my testimony, I will discuss consumer data brokers, businesses that traffic in 
consumer data. The data broker industry is complex, and I can only focus on a few 
aspects of it. 

There are consumer list brokers that sell lists of individually identifiable con- 
sumers grouped by characteristics. To our knowledge, it is not practically possible 
for an individual to find out if he or she is on these lists. If a consumer learns that 
he or she is on a list, there is usually no way to get off the list. Some exceptions 
exist, but the rule is that the lists are circulated far from consumers’ eyes. 

Lists reveal information that would surprise most people. Data brokers sell lists 
of people suffering from mental health diseases, cancer, HIV/AIDS, and hundreds 
of other illnesses. Data brokers sell lists of people who live in or near trailer parks 
so that these undesirable consumers can be targeted for suppression. Data brokers 
sell lists of people who are late on payments, often to those who make predatory 
offers to those in financial trouble. Data brokers sell lists of people who are impulse 
buyers or “eager senior buyers.” All in all, there are millions of lists. 

In addition to list brokers, there are people finder services that sell consumer de- 
mographic information online. The hundreds of “people finder” websites online are 
also part of the data broker industry. Statistically, few of these sites give individuals 
a meaningful opportunity to have their information removed from their databases. 
A handful do offer a partial or complete opt out or suppression, but to exercise the 
opt out, consumers have to first find the site, then go through what can be an in- 
credibly frustrating series of hoops. Scanning drivers’ licenses, sending the opt-out 
through postal mail, and sometimes paying as much as $1,000.00 to opt out. A con- 
sumer who successfully negotiates an opt-out at one data broker faces the challenge 
of doing the same thing at dozens or hundreds of other data brokers. There is al- 
ways the risk that a name removed today will be added back tomorrow. 

I will also discuss consumer scores, a growing area of data broker activity. Con- 
sumer scores are not well-known yet, but their influence on consumers is profound. 
One important example is the modeled consumer credit score. The modeled con- 
sumer credit score consists entirely of non-credit elements. Why? Because this al- 
lows the consumer data broker industry to avoid giving consumers the rights that 
the Fair Credit Reporting Act provides. 

I will offer some solutions focused on addressing the problems identified in my 
testimony. The solutions I propose are practical and possible. The solutions are de- 
signed to bring fairness and rights to consumers. The data broker industry has not 
shown restraint. Nothing is out of bounds. No list is too obnoxious to sell. Data bro- 
kers sell lists that allow for the use of racial, ethnic and other factors that would 
be illegal or unacceptable in other circumstances. These lists and scores are used 
everyday to make decisions about how consumers can participate in the economic 
marketplace. Their information determines who gets in and who gets shut out. All 
of this must change. I urge you to take action. 

The Structure of the Data Broker Industry and Why it Matters 

The data broker industry is complex, layered and multi-faceted, and it is evolving 
rapidly. The industry cannot readily be described as just consumer information 
being sold on flat lists. There is much, much more than that. 

A way to start approaching an understanding is to look at some key aspects of 
the industry. 

Size: The data broker industry, by its own estimation, numbers in the neighbor- 
hood of 3,500 to 4,000 companies. Most data brokers engage in multiple activi- 
ties and have a range of core expertise. 

Scope: Data brokers range in scope from multi-national corporations with reve- 
nues in the billions to small sole proprietors operating locally. Some data bro- 
kers operate offshore. 

Shape of the long tail: This industry has a relatively small number of very large 
name brand companies, and many more small to mid-size companies. The tail 
of this industry is very long, and the end of the tail works its way down from 
large companies to small affiliates selling data online. 

Activities: These include list brokering, data analytics, predictive analytics and 
modeling, scoring, CRM, online, offline, APIs, cross channel, mailing prepara- 
tion, campaigns, and database cleansing. 

Data flows: Some data brokers host their own data and are significant pur- 
chasers of original data. Acxiom is an example of this kind of company. Some 
primarily analyze data and come up with scoring and Return on Investments 
proofs. Datalogix is an example of this kind of company. Some sell or resell con- 
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Sumer information online. Intelius is an example of this kind of company. There 
are many other models in addition. Some data moves from online to offline and 
back; some through social media and back. The point is that the business mod- 
els and data flows are complex, use many sources, and differ between types of 
data brokers. 

Affiliate Storms: One common model results in the flow of information from the 
largest name-brand companies to the smaller companies, who then turn around 
and resell the data to a third tier of “affiliates” who then market the informa- 
tion themselves, or to another downstream affiliate. The term I use for this is 
“affiliate storm.” A consumer at the end of all of the data reselling has difficulty 
finding the original compiler and seller of the data. 

Regulation: The 2013 GAO report on data resellers outlined the lack of regu- 
latory oversight regarding data brokers.^ There are additional concerns that 
some existing regulations are being circumvented in some cases. 

My comments today address the consumer-focused aspects of data brokers. Some 
activities of data brokers do not affect consumers in a negative or unfair way. Some 
list cleansing or compliance activities to bring the data broker in line with the Do 
Not Call list are unobjectionable. My testimony is about the other consequences of 
the data broker business today. 

Sources for Data Broker Data 

The sources for data broker data have become more complex as the industry has 
grown, and as the information systems have become more digitized. Consumers 
sometimes have a choice about whether they give data; other times, they do not. 
Even if a consumer paid mainly cash and lived very quietly, using shredders for 
their mail and records and keeping their SSN to themselves, the likelihood that the 
consumer could totally avoid landing on a data broker list is quite small. Most peo- 
ple in the U.S. are in many data bases and on many lists. 

Some of the most common sources of consumer data include: (marketing, not cred- 
it data) 

• Retailers and merchants via Cooperative Databases and Transactional data 
sales & customer lists 

• Financial sector non-credit information (PayDay loan, etc.) 

• Multichannel direct response 

• Survey data, especially online 

• Catalog/phone order/Online order 

• Warranty card registrations 

• Internet sweepstakes 

• Kiosks 

• Social media interactions (dependent on data broker interactions/agreements) 

• Loyalty card data (retailers) 

• Public record information 

• Website interactions, including specialty or knowledge-based websites 

• Lifestyle information: Fitness, health, wellness centers, etc. 

• Non-profit organizations’ member or donor lists 

• Subscriptions (online or offline content) 

Following are some source examples from data broker cards, these examples are 
not surprising or out of the ordinary. 

On a Baby Boomers data card, Adrea Rubin gave this source data: 

Source: Multichannel Direct Response, Survey Data, and Public Record Infor- 
mation 3 

On a data card for a Transaction Database, the company listed the source as: 
Source: 79 percent catalog/phone order/Online, 21 percent retail.’^ 


^Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology 
and the Marketplace, http: I lwwiv.gao.gov I produets ! GAO-13-663. Sept. 25, 2013. 

3 DEFINING MOMENTS REACTIVE BABY BOOMERS Data Card, http: ! ! datacardhub.ad 
rearuhin.com ! market?page=research ! datacard&id=2559 14. Last accessed Dec. 17, 2013. 

^Adrea Rubin, Action Network Transaction Database, http: ! I datacardhuh.adrearubin.com I 
market?page=research/datacard&id=257898, last accessed Dec. 15, 2013. 
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On a data card describing extreme mail order buyers, the source for gender, age, 
income, number of purchases, and number of credit cards was cited as 

Source: Multi-source, consolidated from a variety of sources, overlaid with co- 
op/transactional data[l] 

A data card listing seniors listed the source as warrantee cards. 

Source: Warrantee card registrations ® 

Of the sources, a disturbing source is retail purchases both online and off. Cooper- 
ative databases allow retailers to append copious data about consumers to retail 
transaction files. This is the basis of the Pineda vs. Williams Sonoma case in Cali- 
fornia which Williams Sonoma took a consumer’s e-mail and added home address 
information. Below is an example of the use of retail transactional/cooperative data- 
bases, this one from KBM Group.® 


Where do we get our data? 

We compile and manage data in our AmeriLINK® national consumer database. 

This data Includes demographic, lifestyle, attitudinal and recent transaction data 
We collect and compile data from public records and publicly available sources in 
accordance with local, state and federal laws We also build predictive models from 
consumer supplied data and score our database resulting in 'modeled' data 
suitable for marketing decisions. This modeled data indicates a consumer's 
propensity towards certain buying behavior. 

Providing information for marketing purposes is only one facet of our business We 
also process and manage data for our clients. In this instance, the data is the 
property of our client and is supplied to us by them Client data is only accessible 
by the client who supplied iL and information is NEVER shared among clients or 
across functional areas of KBM Group 

With the acquisition of l-Behavior. the premier provider of consumer transaction 
data through its 1-Behavior Cooperative Database. KBM Group also compiles 
consumer purchase transaction data provided directly by member merchants. 

To learn more about the l-Behavior Pnvacy Policy. CLICK HERE. 

Later in this testimony, I include this company as an exemplar of good opt out 
practices. 

Sensitive Information and Lists That Should Not Exist 

One of the key characteristics of modern data brokers is a lack of restraint. The 
degree to which no piece of data is sacred is evident in the reams of sensitive con- 
sumer data compiled, scored, circulated, and sold. 

I do not oppose the selling of lists entirely. There is a reasonable center to be 
found. I agree that some lists are probably always going to exist that one or another 
person deems sensitive. Selling lists of doctors, nurses, teachers, and so forth are 
not among my favorite business models. But I understand the need for these lists 
and how they can be used in an unobjectionable way. I think of these lists as the 
center of the bell curve. These lists are of professional people. 

However, some lists should not exist at all. This is where I urge Congress to take 
action. Highly sensitive data are the frayed and ugly ends of the bell curve of lists, 
far from the center. This is where lawmakers can work to remove unsafe, unfair, 
and overall just deplorable lists from circulation. There is no good policy reason why 
unsafe or unfair lists should exist. 


^Warranty IT Seniors, Adrea Rubin, http: !! datacardhuh.adrearubin.com ! market?page= 
research / datacard&id=123434, last accessed Dec. 15, 2013. 

^http:! ! www.khmg.com j privacy-policy ! . 
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I give you some examples: police officers home addresses, rape sufferers, domestic 
violence shelters, genetic disease sufferers, among others, below: 

• A list of police officers at home addresses. This list can threaten the safety of 
police officers and their families. 
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• A list of rape sufferers. This is an unjustifiable outrage that sacrifices a rape 
victim’s privacy for 7.9 cents per name. 
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MEDbase 200 

About » Our Lists 

List Categories '' 

Contact 


MEDbase200 

Integrated Business Services Incorporated 
735 N. Western Ave., #125 
Lake Forest, IL 50045 
1-800-451-5478 
inro@)medbase200.com 


i.e Registered Nurses and... Search 
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by: MEDbasc200 
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• A list of domestic violence shelters. Existing laws allow domestic violence shel- 
ters to keep their location secret so that abusers cannot find their victims. The 
commercial sale of lists of these shelters is unjustifiable. 
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• A list of genetic disease sufferers. This list identifies people suffering from ge- 
netic diseases. This information will apply to these people — and their progeny — 
for their lifetime. Congress and the States have passed laws to protect the pri- 
vacy of genetic information, but these laws do not stop data brokers from selling 
genetic information to anyone for any purpose. 
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• A list of seniors who are currently suffering from dementia. These unfortunate 
people are often targeted for highly predatory offers. A list of caregivers would 
not have the same potential for deleterious consequences. 
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I of 4 
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• A list of HIV/AIDs sufferers. 

M«ln« IMt I AMl AMt Hw IntKttoM hint«m Int 13/lS/l) 2 41 fW 


MEDbase200 

Integrated Business Services Incorporated 

736 N Western Ave , #125 

Lake Forest. IL 60045 

1-800-451-5478 

info@medbase200.com 



MEDbase 200 

About ■» Our Lists 

List Categories 

Contact 


i.e Registered Nurses and Search 


1= Aids And Hiv Infection 
Sufferers List 


Mailing List / Email List File owned 

by: MEDbase200 

Medical List Database 1D:276 

Aids And Hiv Infection Sufferers List 

98/100 on Nexlmark.com 

Base Price Per Thousand: $79.00 

Total Universe: Inquire for a Current 
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• A list of people with addictive behavior, alcohol and drugs. Alcohol and drug 
treatment information about patients is the subject of extra protections under 
existing law, but no law stops data brokers from profiting by selling the infor- 
mation. 


Addictive •ctvivion. Akohol And Onigi Mobng UM 


12/lS/t3 2 30 PM 


L Exact Data 


177-440-3212 

USINESSUSn 


MAILIMH USTS 


EWIIHUXETIM 00-IT-YOUI9LF CONTACT rKEOUan 


* » • AddcM atfwvion. Aleehol And Orugt Mddmg UM 

ADDICTIVE BEHAVIORS. ALCOHDL AND DRUGS MAILING UST 


Avadabtd Channots: Poatol. E'na \ 


17.523 

1.598 

1.110 


POdtal Rdcord* {UnrvdTM) 
Etnad Ra eo f da 
Phona RacorOk 


$185 OOM 
*$US00iM 
*S13000M 


OalPrlainB 
OM Mora Infennatten 


CUSTDHCI SUPPORT 

LIVE CHAT 

cm 877.440.3282 


EjuKt Data AddKttva Bahavior t . Aioohoi And Orugi ma*ng hat brmga tomi rai ia Wa, co ai -dWaciiva oonaumar 
conlactxfor al of your proapactrig naadt TIm racorda n Otia tw ara fraquanly hy^tanad through NCOA 
proeaaamg to anaura maumum aooracy. Contaaang oonaumar damographK vdormadon, taa apaotc maAng 
tilt of Addictwa Bahavton, Alcohol And Oruga anaWat mad« buyara lo budd now long^ami cuatomar 


:SfOR»ATIOH 

FIrM Name 


No Charge 

Any Spacdic Gaography 

City 

County 

SCFCoda 

ASOftfM 

ChantaMa Donor 

Ag* 

Gandar/Sex 

MantalStatua 

IISOOTM 

Inlaraat Calagonaa 
Ethncty 


ZIP Coda 
AraaCoda 


ChdtfaAga 

g Sua/Typa 


Langth of Raadlanca 


C00000201 

imamatfOrAna 

OpiHn 

08f1»2013 

08f1»30l3 


To raoana m 
on ffia Addicttva Bahaviora. 
Alcohol And Oruga Mailing 
Uat. M oiA lha torm on Via 
nghi 10 pfaca your raquaat A 
apaoakat wdl raaeft out to you 
to anaoar and q uaa ti on i 
about lha Addictiva 
Ba h aviora, Alcohol And 


cuonnsniiONuis 


hnp //www.rarwufmctoese.com/mailwg-tim/addicwe-behaieon-alcenoi-and-drugt-irMding-lw Mml 


Page lo(2 
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• A massive list of people identified by disease and prescription taken. Diseases 
include everything from A to Z, from cancer to mental illness, to bedwetting to 
gambling and much more. 

Ailmems Lm*. ^encnplnn Um. UedK«l CondHiont Uttt. Ailmefits Tetemirlietinq and Email |JU» { OMOaia6av«» 12/12/1) S )) AM 


AILMENTS MAILING LISTS / EMAIL LISl'S 

AILMENT / MEDICATIONS DATA SOURCE: Survtyt and/or Data Contribution* 


(MtQBIAHT: Wh*n usanp tfio btkm admonts lo croar* your rmw maiftng ktt- bo 

M/rotouoortomogrophKitoofiftf^ycvfpbbonh. rMvpabants Hrirn aamamadKa/admont 
ato not (ri* samo smco thoy moy havo dMbront damogra/VHCS (ago. moomo. oducabon tavol. 
ale) and thoaa damograpbKS can md u an co dm wJkngnoss to u$o your produeVaorvico 

CLtCK HERE to rovtoar domograpHc* for guaUfying your aWmont lt$t 


CUCKHERE andracanm abaaeeunthranyaJmorHmaikrtglatoromaykal 
wOh a pnorg quota 


CAIEOGAY 

TYPE 

DETAIL 

AILMENT 

ADDICTION 

Alcotioiiam 

AILMENT 

ADDICTION 

Drug* 

AILMENT 

ADDICTION 

Food 

AILMENT 

ADDICTION 

OaiWing 

AILMENT 

ADDICTION 

Saiual 

AILMENT 

ADDICTION 

SptcAedy Not Avadablo 

AILMENT 

ADDICTION 

Tobacco 

AILMENT 


Aodrodux 

AILMENT 


Aow 

AILMENT 


Adnc Karatesis 

AILMENT 


Agrg 

AILMENT 


Abrioimor'* 

AILMENT 


Anonna 

AILMENT 


AriorKMCtarofti* 

AILMENT 


AfVinM 

AILMENT 


AftmtB-RhMjmakMd 

AILMENT 


Astvna 

AILMENT 


Astvna-chdd 

AILMENT 


AWoNtfool 

AILMENT 


Bad broalh 

AILMENT 


BaebPam 

AILMENT 


Btaddar control 

AILMENT 


Badwotling 

AILMENT 


BbodiwtsMtual impatnnont 

AILMENT 


Blood ckiti 

AILMENT 


Blood cHorder 

AILMENT 


Body odor 

AILMENT 


BomtsI problom* 

AILMENT 


Calcium dobooncy 







hnp //dmdaubasn <ora/daubaM»/coAWin«r>majlMi9'i>ut/a<lm«niflmt 


ajf* lot It 
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These lists speak for themselves. Can we agree that some lists should not be cir- 
culated? Can we agree that the people named and pinpointed and targeted by these 
lists should be protected from the harm that can come from simply the inclusion 
on the list? I hope this is the case. 

I also would put derogatory credit lists on the firing line for if not removal, then 
special treatment. These lists abound, 

• Hispanic payday loan responders 




f ^ 

fa Exact Data 

aa 

1 POSTAL, EMAIL AND 

' TFI FPHflNF 1 ICrC 'VfiwTfXifito" 

i 

ICLCrrivnC LI3 Ij Arfwyuote 


Hispanic Pay Day Loan Responders Mailing List 

These Hhpinic Cash AtKance/Payday ktan seekers need cash quiddy to pay monthty MUs such as car 
payments. uMKy M($. credit card payments, etc., beldre they receh* penalties for late paymen* 


, Exact Data 


MOMCNTS COUKTS TmOUGH IViOfJClJ 

Tso.eoo TOTAL imivMse / BAse MTE sesotvM 

AHCWe fMMOUS UM.W* 

pcsaumoM 

Thoc HspuiK GORM^mcn reached oal to wnee • taai ookU) ato easty ■ 
oderto: 


MAJurr. CONSUMC* 

CHANatLS. 

COMRUD LISTS, otaea 
AtseoNse 

UNKNOWN 
ns-MeHeeii 
HtercMeo PtOMoea 

USA 

FCMAli 4S% MMl 


souacf: 

PAIVACV; 


• Avoid beuaced check feci 

• fv/ moeihl) hiiK before they bcc a ne pcoAliwd 


STATVS. 

MO 
CCNOCA 
UUCTS 
ta 

ctovceocaAPHiCAL 


SIOOIVH 

sroaw 

sroo/H 

SIOIVM 

SSOOIVF 


IhcM lliipinx CaJ) Iuap *eAa% teed catb ewchk to 

ntondiK hlU tych m em payneab, Nllt. creda evd paymrnev. etc. 
beforedtoy Rccive pcaaiciei frr Icie |N>tneM 


ie onkr toquhfy. a ceanoKr aee^ to haveachccLsai A.;v%aK. be oarcady 
cnploytcL have a *«i«| KWpL«v>e n .:mber. be ■! II eht aad a 

U.S reodeM A poor credd nug »ill rot Bece«anly nb bd eoe^isnm ftoas 


KPrcootNC 

UtAtt/fTP 
MLAHO LISTS 
jOOWllONT>€t«LUO( 

OSHT CAAO TTUNSACnON 
■•scsrAce 

J DOT CRUNCX nuX NV* 
j HOT Tteno otTv HioocCT aintAs 
..idSMNK CONSUHtOS WMO AA{ 
'^woeaBAMCH) 

..SEASONS mosthas 

j otaxT Acrjk.'v soiunoe 
, flKTRONICS - NEW oaocr AMD 
•'tLtCTAONlCSBvAfaS 

JRAMCtwroa* 

AMEWCAS COSS-^sas v<3«>;N6 

poa COOK»C noouers 


COISUMEtBRSE 

MOKES IT 

EASY 

roFitorouA 

TARGET 

RUDIENCE 


FUQtVOJR 

LISTS mini 

I UNUtESOICTSlUO | 
nurasTiuisi 

MARKET 


eWa nil 


Iboe proven dacct tc ap onic ap pli c a aN arc proipcca for wrured aid 
iBMcuRd crcdii «>n<n. pay day kiaa idTrrv. m\uni fiaancisf frofrw». dirtc 
cwaelidaDJn onaey ladUBp oppontn:^. vucepvu&ev d hooK 

fthyaofKu.' prr'inniv. Asmee lenap. aid career cnemoi oiterv 


kaa /<Mv/ieiMMft(a«i/aurkfl^iei< 


• IWU 
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• Derogatory credit consumers. These millions of consumers fall into a low credit 
category. 

Om«Mo«v CratfA CoAMMicn U«tin9 uu IZMS/l) 1 19AM 




r ^ 

■■ 

1 POSTAL, EMAIL AND 

ITIFPlinNFIICr^ 

L i 

1 CLCr nvnc LI^I^ nrreewuwe 


Derogatory Credit Consumers Mailing List 


OerofMory CretfK Coraunm «re n the tow credn cotefory. Theie cerawnen hove aU either mode Ir 
deosiom or been victm of cvcumunce iiot hove couoed thdr credit to be Mdr-por. 


I II i r 


^ ExactOauj 


LWMIl TOTM I.NWIM / OAU OATI 
2rti.OH AVAUMLC PHOm «IUMi(hS 

MONTt«V HOrUNC 

otecwenow 

Deregotory CredR CoMumen ore in the Icwrer credit cotefory. Theie contumert hove oil etther made Me d(< n 


CDKSIJKERMSE 

MAKES II 


J 

itimJof Cl 


Theie individuob ore in nerd Of hdp ond abo tn need of Mme fonn of credit to hetp them rctuM their live« 


im 

TO FIND YOUR ' 

TARGET 

AUDIENCE 


Tho fSe H tdeol for a wide vonecy of different markotwt compaiim and can be more ipectficoUy torfred 

IISTSWTH 
WnUCSQiCTSANO 
FM TOUR TARttT 

MARKET 


• TO argir the i«. MW ao ye^ y i r eMr K — > Mr iwt w » » UM P >)TO>tOaroo*wei»oi»c»»nw w 

• k^MMiwtMMyanoeieMooeMiaiMuNMTMCin 

• oaikNrTiMH(AVAiLoaaoMO*oc*so'rSiMoo*NOM(f 7 0 orMEiuNOiMici) 

• EICCMIMCC S HOT OVAAAOU 


• CANCtUATPN m AT CM 0^ 


F— if:— -I 
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In the Solutions section of this testimony I discussion ways that this negative list 
situation can be improved. It is important to note that the lists are just the obvious 
outgrowth of other data broker activity, such as scoring. 

Geography is Destiny: Trailer Parks and Zip+4 

Where a person lives counts. A lot. Unfortunately, or fortunately, depending on 
where you live, geography is marketing destiny. And marketing destiny can now af- 
fect what opportunities come your way by virtue of savings, discounts, or receiving 
financial offers. 

For example, people who either live in a trailer park or within a certain radius, 
usually a couple of miles of a trailer park, are often candidates for list suppression. 
They will not receive opportunities that their neighbors do solely because of their 
type of shelter. Or conversely, people who are in a trailer park may be specifically 
targeted for ads for low-income products or services. Is this trailer park redlining? 

DMDatabases offers, for example, a suppression list that includes trailer parks as 
an option, among others: 

OTHER SUPPRESSION OPTIONS 

NURSING HOMES 

TRAILER PARKS 

MILITARY BASES 

COLLEGE DORMORTORIES 

BANKRUPTCIES, TAX LIENS, JUDGEMENTS’ 

It can be reasonable and fair or a local business to use Zip+4 to target a geo- 
graphical area nearby. This makes a lot of sense. But I am not persuaded that it 
is fair to use detailed census tract data and Zip+4 to unfairly exclude people who 
may be living in or near the edge of poverty. 

Inferences and Categorization 

Data brokers categorize consumers into tightly defined boxes sourced by retail 
transactions, number of credit cards, ethnicity, marital status, gender, education, 
and many other factors, including neighborhood. There are a number of products 
sold by data brokers that accomplish this. One product in this category is Personix, 
sold by Acxiom. There are 70 Personix Clusters, each one identifying a type of con- 
sumer. Another product is Prizm, sold by Claritas.® “P$ycle” by Dataman Group® 
is another product. However, I do not know of a single company that allows con- 
sumers to view the clusters they are put in. I do not know of a single data broker 
that will allow consumers to permanently opt out of the cluster definitions attached 
to them. 

At Acxiom’s It’s About The Data Portal, entering various zipcodes, salaries, and 
characteristics such as presence of child, marriage, and so forth allows one to ex- 
plore the clusters. 

Here are two sample Acxiom clusters: 


’DMDatabases, Suppression, http: ! I dmdatabases.com ! data-processing I suppression, last 
accessed Dec. 17, 2013. Screen shot available. 

® http: ! I www.claritas.com I MyBestSegments I DefauU.jsp. 

^http:! I www.datamangroup.net I PyclcFinancialMarkets.php. 



89 



My Cluster 


7-Eleven. 


Working & Studying: Cluster #70 

This duster represents the lowest for net worth and Is seconi 
to last In terms of Income. It Is made up of single, high-schoo 
educated renters (with a mean age of 39) living in a mix of 
single-family houses and apartments. The group, ranked 
lowest for working women. Is employed mostly In the lower 
echelon white-collar jobs and Is three times as likely to 
Indude students. Leisure activities consist of a mix of active 
and less-active, induding playing Fnsbee. softball, and 
volleyball: following the NBA. collecting sports trading cards 
and going to ntovies and listening to concerts on the radio. 
Shopping favors cost-saving discounters, such as Aid! and 
Wal-Mart and quick pick-ups at convenience stores such as 


Acxiom respects your privacy. The data entered on the previous screen will not be retained or used 
for any other purpose than producing the demo results. To review our full Privacy statement, please 
click here . 

Your self-reported data assigned you to the above Cluster. The mfoBase database may carry a 
different PersonicX assignment for your household based on the data we have available on the 
InfoBase Consumer Database. 


Affluent Households: Cluster #4 

This duster represents established, wealthy Emilies, often 
with teens, living in the lap of suburban luxury. With top 
rankings for education, income and net worth. Cluster 4 
contains marhed executives and professionals who earn 
absolute top- dollar incomes, focus on their investments and 
Indulge In an expensive array of activities. Reflecting their 
devotion to kids, they play board games and go to the 
museum, the beach and the zoo. They play tennis and golf, 
and they attend professional sporting events, usually in a 
luxury mlni-van or SUV. They are frequent shoppers, buying 
dothes for themselves and their kids and furnishing their 
houses. 



My Cluster 


Acxiom respects your privacy. The data entered on the previous screen will not be retained or used 
for any other purpose than producing the demo results. To review our full Privacy statement please 
click here . 

Your self-reported data assigned you to die above Cluster. The InfoBase database may carry a 
different PersonicX assignment for your household based on the data we have available on the 
InfoBase Consumer Database. 

These clusters come attached to average ages and proximal information to guide 
marketers. The clusters are purchased by other data brokers and are used to over- 
lay other data they already have. In many ways, the clusters shape the ads we see 
online, the deals we get in the mail, and in some cases, unwanted targeting both 
at the high and low end of the clusters. 

Take for example the following data card, which is described as Low End Credit 
Prospects. The source for the data is multi-source, and includes Acxiom data. The 
data card specifically identifies low-end credit prospects by their inclusion in the 
Acxiom Personixs clusters. In this case, these consumers were not described by 
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being assigned a modeled credit score, rather, the cluster does the work of charac- 
terization. The category profiles are then combined with recent transactions, which 
in turn landed these consumers on this data broker list.^*’ 


Datacard Hub 


ACTIVITYTRACKER LOW-END CREDIT PROSPECTS 

ACTMTYTRACKER 10W-€ND CREDIT PROSPECTS OornbtnM ffi« best ofACTTVnYTRACKER^ i«c*nt VanMCMnt wiVi 
iKuMdPERSONiCXdu«i»raruiiiMn»vn4dMi'*b>««udt«nM S«gm«nttrftc<uM kMw SingiM Cssh tnd Cany 
Urtannat Rural Saainty Ganng Stanad ACTTVlTYTRACKER rdanttM oonauiwt tut bava raoanly lakan an acaon m tw 
laai 30 day* uvhoatng ineraaaad d>raci mail ratponiwanaaa ThaM acavtsaa mduda. but art no< bmnad to Cradd card 
laauanoa.oaditcsrd uM. rtaw movaa. mortpaga raartancat. mail onlar purcftaaaa. and mora (w lalactabia m monti) 


SEGMENTS 


1.305.660 TOTAL UNIVERSE /BASE RATE 

1.365.660 Total 1 Menn 
Email Addrasaea 
Pnona Numbar 



ACnvnYTRACKER LOW-END CREOTT PROSPECTS comWnas the 
best of ACnVTTYTRACKER'S recent trartsactJons with focused 
PER50NICX clusters that identify this desIraMe audler>ce. 
Segments Include: ; 

a New Market Singlaa thraa^tuartars of thrs group la under age 45 and it 
spill batwea n homaownars and lertars Many have uppar-middto 
incomaa and n starting to accumulala net worth as they are invastatg 
and paying off student koar« Many use oniinabenkmgsarvicaa; 
a Caah and Carry Urbanrtas a mu of trngla and mamad c ouptaa This 
populabon ganaraHy haa low-to-midcSa mcorriaa and knv net worth 
They land to save for a spacrfic purpose and typically do not know 
ihaa bank balance at any one time, 
a Rural Sacunty typicaPy empty naatars. toma amgla Thaaa 
indrvMuala land to hava towar incomaa and bmitad nat worth Mora 
njrMly-based and typicaPy nsk avarae. thrs populabon tends to staar 
clear of onMne banking; 

a Oattlng Started moatly under age 35, tins group « m a transitional Me 
phaa# starting good loba/buytng homes wNh others atnigglmg to 
aalabUah thamaalvaa Many are likely to taka rtsks tr. invaating. 
although many many not he^ much to invaat 


In addition to credit, these individuals should be excellent 
prospects for general merchandise, sweepstakes, self- 
improvement and health/wellness offers. 


USTTYPE 


Consumer % E3 S 

«mI ut |Mm 


SOURCE 


UUL n-SOURCED. POWERED BY 
ACXIOM 

1 1 L i J ' M .' 1 1 

Counii trough 

10010013 

LawdodM 

11040013 

NtiluOdM 

121000013 

SELECTS 

Ag» 

ITOOAI 

ClMKN Ag« R«ng« 

$120044 

OMOferfi 

$12.0044 

DwMHng Stzsrtyp* 

&3S0M 

EducMon 

$12.0044 

EttfsoOwlaiy 

$250044 

QrnbrrtSrx 

$T0C44 

QtolQMgrapnictl 

srooM 

HomtOwntr 

$120044 

ticomt Stita 

$7 0044 


What is most objectionable is that many products like Acxiom’s exist without con- 
sumers having any rights with respect to the data about themselves that is being 
compiled, bought, and sold. Errors may significantly alter the cluster a person is in, 
therefore altering the quality and type of offers a consumer receives. Life looks very 
different for cluster 1 and cluster 70. 

Consumers need more rights over the use of their personal information by data 
brokers. 

Modern Eligibility 

Eligibility has expanded and, with it, the uses of marketing data for eligibility 
purposes and for suppression purposes. In the traditional credit world, the FCRA 
still regulates the use of credit in strictly-defined eligibility situations, such as em- 
ployment and insurance. The Equal Credit Opportunity Act also places limits on 
data use. So does the Health Insurance Portability and Accountability Act’s (HIPAA) 
health privacy rule. 

Modern eligibility has evaded, avoided, and overrun these laws, creating an unfair 
situation for consumers. When health data is held by a covered entity, HIPAA pro- 
tections and rights apply. However, the exact same data, used for purposes outside 
of strictly-defined FCRA, ECOA or HIPAA limits and when not held by a health 
care provider, escape the bounds of regulation. The definition of eligibility needs to 
be expanded to encompass how data is now used. Consumers need more rights with 
respect to these activities: 

• Authentication: using public and behavioral data to authenticate consumers to 
use a service. 

• Anti-fraud: using transactional and behavioral data to determine whether fraud 
is occurring. 


i^’Adrea Rubin, Activity Tracker Low End Credit Prospects Data Card, Card ID 310015, 
http:! I datacardhub.adrearubin.com ! market?page=research I datacard&id=310015 last accessed 
Dec. 15, 2013. 
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• Identity verification: Running quasi-background checks to verify aspects of a 
consumer’s identity. 

• Lifestyle: Background checks for dating websites, for schools, for clubs. 

• Offers or suppression based on proxy credit scores: data broker-generated finan- 
cial offers based on non-credit information, but just as accurate as a traditional 
credit score. Or the inverse: people are excluded from a list based on this infor- 
mation, but without associated FORA or ECOA rights. 

• Offers or suppressions based on medical data: Consumer health information 
that has escaped from the boundaries of HIPAA — a significant amount — needs 
new rules that data brokers must follow. Health-related analytics that have an 
impact on consumer’s health care prices, health care, credit, or emplo 3 Tnent 
need controls To protect consumers. Certain lists should not exist, and certain 
data should not be used in lists, in analytics, or anywhere. Even lists that data 
brokers deem non-sensitive such as lifestyle lists identifying smokers or other 
patterns need controls. 

Consumers who fail authentication tests, ID verification, or get identified as a 
fraud risk will show up with different scores, will wind up on different consumer 
data broker lists, and may have difficulty conducting their daily business. Con- 
sumers who are painted as fraudsters may find themselves locked out of their own 
bank, credit cards, and even phones. Consumers who are identified as having very 
low or derogatory credit by non-traditional analysis and scoring may find them- 
selves deluged with predatory offers. Consumers who are marked by a data broker 
as having cancer, previous trauma, a chronic disease, including genetic diseases, 
and even lifestyle markers, can have that data sold to the wrong party and find 
themselves on the short end of the health care stick and deeply stigmatized in many 
areas. 

Circumventing the FCRA 

While my testimony is not focused on the FCRA, it is important to state for the 
public record that many data brokers are engaging in behaviors that circumvent of 
the FCRA. I leave it to the Committee to decide if these activities are already illegal 
or if they should be brought within the FCRA and regulated in the same way as 
traditional credit records. 

Proxy credit scores relate to circumventing the FCRA.^i There is another issue 
related to circumventing the FCRA. Many of the websites selling consumer back- 
ground check data and other data state in a disclaimer that they are not a consumer 
reporting agency and therefore are not regulated under the FCRA. They adjure their 
customers to not violate the terms. The restrictions are not meaningful, and we sus- 
pect the violations of terms are routine. 

There need to be meaningful checks and balances to keep improper uses from oc- 
curring. Given the sheer numbers of affiliate websites selling consumer data, this 
will require some affiliate oversight and reform. We found some affiliates without 
a privacy policy, much less an opt out. 

From http:! I www.peoplesearchnow.com I default.aspx: 


Just because there is a paragraph stating that a website is not operating as a con- 
sumer reporting agency doesn’t make it so. We strongly suspect that the disclaimed 
is offered with a wink, safe in the knowledge that no regulatory agency will be able 
to look at hundreds of small sites for violations of the law. 

Data Broker Opt Out: The Grim Choiees Consumers Face 

Consumers face bad options and scant choice when it comes to data broker opt 
out. Leaving aside rights conferred under the FCRA for strict FCRA-defined eligi- 
bility purposes for the moment, consumers are in fact left largely to fend for them- 
selves with few tools and no clear rights. Some opt outs exist, hut the landscape 
is difficult — so much so that it is improhahle that consumers can wend their way 
through the opt out process successfully 

How many allow opt out? 

The World Privacy Forum compiled a list of 352 consumer-focused data broker 
sites and lists. Our list is available at http:! ! www.worldprivacyforum.org ! 2013 ! 12 j 


Selling Consumers Not Lists: The New World of Digital Decision-Making and the Role of 
the Fair Credit Reporting Act, Ed Mierzwinski and Jeff Chester. November, 2013. 
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data-brokers-opt-out I . A study of the data broker industry conducted by Dr. John 
Deighton for the Direct Marketing Association in 2013 found that the universe of 
data brokers was approximately 3,500.i^ Our data broker list, then, comprises at 
ten-percent rough sample of this universe. Included on the list are various people 
finder websites, data brokers that this Committee or the FTC has sent letters of 
inquiry to, consumer list brokers, and others. Of 352, 128 offered a data opt out. 
Some of those were full opt outs, some partial or unclear, some of them cost as much 
as $1,799.00, and one opt out promised that the site reserved the right to “publish 
the request” if someone decided to opt out. 

Opting out of Data Broker Scores and Lists 
To remove a consumer’s name and information from all data broker lists appears 
to be an almost impossible task right now. If a mailing list is held by a DMA mem- 
ber, the DMA opt out can be effective. However, not every data broker is a DMA 
member, which poses an immediate problem. For scores, there is no known score 
opt out. After a consumer is assigned a score by a data broker, a consumer will find 
it nearly impossible to find that score or to opt-out of its use to describe or charac- 
terize the consumer. 

In our research, we have found one exemplar company that is allowing an opt out 
of their databases and lists, KBM Group. A screen shot of the relevant portion of 
the policy is below; note that the policy allows for internal database opt out as well 
as linking to the DMA opt out. The policy is located at http:! I www.kbmg.com I pri- 
vacy-policy I . This is a best practice, and is seldom seen. 

What can an individual do to be removed from KBM Group s marketing lists 

To be removed from our house lists, simply e-mail o' wnte to us Just state your 
request to be removed from our marketinn lists and supply your name and address 
Mail requests to 

Privacy Preference Department 
KBM Group 

2050 N. Greenville Ave. 

Richardson. TX 75082-4322 

Or E-mail your request to consumer.issist.mco a kbmcj com 

To be removed from the l-Behavior Cooperative Database CLICK HERE 

We can only remove information from our internal lists To remove a name from as 
many lists as possible, send your exact name and address with signature and 
$1 00 processing lee to the Direct Marketing Association at 

DMAchoice 

Direct Marketing Association 
P.O. Box 643 
Carmel. NY 10512 


Suppression vs opt out 

It is important to note that when consumers opt out of data broker websites or 
lists, most often what is happening is that their information is being suppressed. 
The information remains, but it is removed from circulation. Delete is not a word 
that is used very often in data broker opt out. 


Panel comments by Dr. John Deighton, National Press Club, The Value of Data: Con- 
sequences for Insight, Innovation and Efficiency in the U.S. Economy, A Symposium Hosted by 
DMA’s Data-Driven Marketing Institute, October 29, 2013. Dr. Deighton was commenting on his 
sampling for the study, The Value of Data: Consequences for Insight, Innovation and Efficiency 
in the U.S. Economy, John Deighton and Peter Johnson, DDMI, 2013. 
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For consumers who want to get off of data brokers marketing lists, the primary 
mechanism for removal is to use the DMA Choice opt-out mechanism. This will put 
the consumer on a suppression list, which means the data brokers will still have 
the consumer information, but no further sales or marketing will occur within a 
given time frame via the lists that allow opt out or suppression. 

When data brokers allow for a DMA Choice opt out to influence all of their list 
and brokering activity, this is a good thing. But this is not nearly as common as 
it needs to be. Only some lists adhere to the DMA Choice program. One significant 
problem is that not all data brokers are DMA members, and thus escape the self- 
regulatory program. For those that are DMA members, we do not know how effec- 
tive the DMA Choice program is. 

Policy Issues in Current Opt Out ! Suppression Practices 

Of data brokers that allow opt out, additional policy issues include the following: 

• Incomplete: Most opt outs are incomplete, and often require consumers to have 
a safety reason for the opt out. 

• Suppression not deletion. Many opt outs are suppression-based. This may be dif- 
ficult to change. 

• No Third Parties: Consumers are usually required to ask for the opt out directly 
on their own. Requests through third parties are not allowed. This makes opt 
out an impossible proposition for consumers, who have to go to each individual 
site to effectuate the opt outs that are available to them. It is clear that the 
policy deliberately seeks to make it as hard as possible for consumers to exer- 
cise the ability to opt-out. 

• No Guarantee: An opt out is not guaranteed, no matter why the consumer is 
conducting the opt out. Thus, the opt out may not work or may only be effective 
for a short period of time. 

• Fees: Some data brokers charge fees ranging from annoying (less than $30) to 
exorbitant (in excess of $1,000). 

• Hunting for the opt out: Finding the opt outs on many consumer data broker 
sites is an exercise in extreme patience and persistence. Opt outs are seldom 
indicated by a prominent opt out button labeled as such. While some data bro- 
kers do play nicely with consumers and provide this, fair play is the exception, 
not the rule. Typically, opt outs are buried deep within a privacy policy, terms 
of use, or FAQ. 

• Opt out requirements non-standardized: Opt out requirements non-standardized: 
A bewildering array of choices face the person who wants to opt out of data 
broker lists. Some opt outs are fair. DMA Choice is a reasonable opt out. But 
many are not reasonable or fair. Some require a privacy-concerned consumer to 
send a scanned copy of a driver’s license or to jump through other hoops. We 
would be reluctant to recommend that a consumer share a copy of a driver’s 
license. Many consumers do not have a driver’s license or other government- 
issued form of identification, and these consumers may find it impossible to opt 
out. 

• Marketing use of opt -out information: No regulation stops data brokers from 
selling or otherwise using the information given in an opt out application. 

• Negotiating the opt out: There is no controlling legal standard for data broker 
opt out. As a result, consumers have to dig through complex privacy policies and 
language and figure out each opt out. 

• Partial Opt Outs Only: Some data brokers allow for partial opt outs, meaning 
that it is available only if there is a safety issue, or if an individual is a member 
of law enforcement. However, there are concerns even with this. There are no 
rules that say that information about the request to opt out will not be sold or 
shared. 

• No opt out: Many data brokers do not allow any opt out. Consumers are left 
with no recourse. 

Examples of challenging opt outs 

Here is an example of a privacy policy with an opt out notice, this is from a con- 
sumer-facing data broker site called SortedbyName.com. Note the last sentence, 
where consumers who opt out may be treated punitively for doing so (emphasis in 
yellow is mine).: 

• This webmaster reviews stats, including IP addresses of site visitors from time 
to time. 
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• Third party vendors, including Google, use cookies and web beacons to serve ads 
based on a user’s prior visits to the website. 

• Google’s use of the DART cookie enables it and its partners to serve ads to 
users based on their visit to the site and/or other sites on the Internet. 

• Users may opt out of the use of the DART cookie by visiting the advertising 
opt-out page. (You can opt out of a third-party vendor’s use of cookies by visiting 
the Network Advertising Initiative opt-out page.) 

• With the Firefox browser, use Ctrl+Shift+P for private browsing. Use Tools — Op- 
tions — Privacy to set preferences. Use Shift-rCtrl-i-Delete to clear your history so 
remote servers cannot access it. 

• By sending a request for removal of names from the site, you give us permission 
to publish the request, including your e-mail address and all headers. 

Here is an example of a complicated opt out, this at from waatp.com: 

How do I remove or update my data on waatp.com? waatp.com investigates for 
live data reached by public on a regular basis. Because this information is not 
contented on our hosting, we cannot give any guarantees these data will be re- 
moved until the change has been occurred at the source of the data. To update 
or remove this information, we advise: Our site will provide the certain source 
for the information the applier would have changed or removed. Approval that 
applier is the individual specified in the Public Profile is an obligatory condi- 
tion, therefore we may ask that appliers faxes or e-mails it: 

1 — a written application asking for the database source or a change application; 

2 — a screenshot of a page, with marked information that you ask to change or 
to search in the source; 

3 — a legal proof of ID like State/Federal ID card that points your name, full ad- 
dress, date of birth (you can remove your personal photo an/or ID#); 

4 — any pseudonyms; 

6 — ex-addresses, including str.name, town, zip. 

You should fax this information to 800 861 9713 (please attach an e-mail so 
that we are able to contact you regarding any questions) or e-mail to Profile- 
Remove/at/waatp.com.com. Changes might take up to 6 weeks to come into ef- 
fect and are only constant if the info has been previously edited or removed at 
the original source. Without a constant change at the original source, the proc- 
ess of deletion of any info stored in a Public Profile is NOT guaranteed, 

An example of the No third Party policy can be found at People Smart, http:! / 
www.peoplesmart. com: 


;-ur.---^-nytwr — , " atlO , 

The Scoring of Americans 

Americans face a future that is increasingly being shaped in significant ways by 
their consumer scores. A consumer score provides a way of evaluating an individual 
or a household. The best-known consumer scoring activity is credit scoring. Credit 
scores date back to the 1950s, and replaced human judgment about credit granting 
by rel 3 dng on standardized criteria. While most people are familiar with credit scor- 
ing, consumer scoring encompasses a broader category of activities that uses scores 
to assess consumers for one or more purposes. 

The World Privacy Forum offers consumer scoring as a generic term for these 
scoring methods. A consumer score derives from an algorithm that typically employs 
objective criteria. The score relies on demographic, health, consumption, trans- 
actional data, marketing, credit, or other personal characteristics. Companies and 
governments use the resulting score to make a decision about an individual or 
household. 

By itself, consumer scoring is not necessarily good or bad. Scoring orders a popu- 
lation along a mathematically defined scale. However, scoring has the prospect of 
being used to affect individuals in significant ways that may not be fair. If a score 
becomes the way that consumers are treated, then the results may not be acceptable 
to the American public. The quality and relevance of the data used, the trans- 


it /sorted63'rtame.co/n/pAr;acy./i/m/, last accessed Dec. 17, 2013. Screen shot available. 
^‘^http:l I waatp.com I faq.html. Last accessed Dec 17, 2013. Screen shot available. 
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parency of the methodology, and the reasonableness of the application are the major 
factors that determine the fairness of any scoring activity. These issues are likely 
to he the central focus on the policy dehate about consumer scoring. 

Consumer scoring is already more widespread than most people realize. A signifi- 
cant segment of the data broker industry already focuses on scoring and predictive 
analytics, and as such, is intricately interwoven into the scoring business. Known 
consumer scoring activities include assessments and predictions relating to insur- 
ance, bankruptcy, identity, fraud, consumption, health, propensity to purchase, “con- 
sumer value estimation,” and more. A dozen categories of consumer scoring have 
been identified so far, each containing numerous scores. There may be hundreds or 
thousands of consumer scores already in use. The Federal Government uses scoring 
for some purposes, an activity beyond the scope of this testimony but something that 
may be worthy of more attention by the Congress. It might be useful, for example, 
to ask the Government Accountability Office to identify all of the consumer scoring 
used by Federal agencies. 

The use of consumer scoring is expanding rapidly because scores provide an easy 
analytics shorthand for measuring consumer behavior, risk, and potential for future 
success or spending. Companies and government will use scores to make more deci- 
sions about a consumer’s access to markets, price for goods and services, ability to 
travel, and other social and economic opportunities. Schools will use scores beyond 
academic measurement scores to determine the viability of candidates. 

Policy issues around consumer scoring 
Secrecy 

Most consumer scores today are secret — consumers cannot see most scores even 
if they know about them. Beyond the numeric value of the scores themselves, a com- 
plete lack of transparency surrounds consumer scores. Citing proprietary claims, the 
factors that make up consumer scores are secret. The procedures and algorithms are 
secret. Often, even the full numeric range and context are secret. 

Credit scores were unknown to most consumers through the 50s, 60s, 70s, and 
80s. Trickles of a score that was not disclosed to consumers but that could be used 
to deny a person credit began to leak out slowly to some policymakers, particularly 
around the time ECOA passed. In May 1990, the Federal Trade Commission wrote 
commentary indicating that risk scores (credit scores) did not have to be made avail- 
able to consumers. But when scoring began to be used for mortgage lending in the 
mid 90s,i® many consumers finally began hearing about a “credit score,” most of 
them for the first time, and mostly when they were being turned down for a loan.i'^ 
A slow roar over the secrecy and opacity of the credit score began to build. 

By the late 90s, the secrecy of credit scores and the fact that people could not see 
the underlying methodology or factors that went into the score or the range of the 
score to determine how the number should be interpreted was a full-blown policy 
issue. Beginning in 2000, a rapid-fire series of events — particularly the passage of 
legislation in California that required disclosure of credit scores — eventually dis- 
mantled credit score secrecy and non-disclosure. Now, credit scores must be dis- 
closed to consumers, and the context, range, and key factors are now known, 

Credit scores are no longer secret, and this was and still is the right policy deci- 
sion. Why are other scores secret, when they are being used for important decisions 
about consumers? Why are other score factors and numeric ranges secret, when the 
risk of marketing data comprising the score of a factor used in modern eligibility 
practices is very high? 

There should be no secret scores, and no hidden factors. 


i®The Direct Marketing Association’s publicly searchable Vendor Database contained 377 
companies stating an expertise specifically in scoring as of Dec. 15, 2013. Some examples of com- 
panies listed include Datalogix, Analytics IQ, FICO, iKnowtion, and others. 

i®In 1995 Freddie Mac and Fannie Mae endorsed the use of credit scores as part of the mort- 
gage underwriting process. This had a substantial impact on the use of credit scores in the mort- 
gage loan industry. See for example Kenneth Harney, The Nation’s Housing Lenders might rely 
more on credit scores, The Patriot Ledger, July 21 1995. 

I'^See for example, comments of Peter L. McCorkell, Senior Counsel to Wells Fargo, to the 
Federal Trade Commission, August 16, 2004 in response to FACT Act Scores Study. 

i®As of December 2004, the Fair Credit Reporting Act as modified by the Fair and Accurate 
Credit Transactions Act, or FACTA, ended score secrecy formally, and required consumer report- 
ing agencies to provide consumers with more extensive credit score information, upon request. 
Also made available to the public was the context of the score (its numeric range), the date the 
score was created, some of the key factors that adversely affected the score, and some other 
items. 
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Unfairness 

Of significant concern regarding scoring are the factors that go into the creation 
of a score. A single score is often created from the admixture of more than 600 to 
1,000 individual factors. These factors can include race, religion, age, gender, house- 
hold income, zip code, presence of medical conditions, zip code + 4, transactional 
data from retailers, and hundreds more. Therefore, one individual score can contain 
hidden factors that range from non-sensitive to quite sensitive. A score that is de- 
signed to assess or assign consumer value to a business could also include factors 
that would be entirely unacceptable or that, in the context of either the Equal Cred- 
it Opportunity Act (ECOA) or the Fair Credit Reporting Act, would be flatly illegal. 

In a description of its sets of scores that can be purchased, one company described 
how it creates its scores: 

Aspects Life Choices system 
Our Database at the Core 

Our proprietary set of data that allows us to produce powerful scored solutions. 
It is created from over 100 sources, updated quarterly, and contains 1,500 pro- 
prietary demographic, psychographic, attitudinal, econometric and summarized 
credit attributes. 

Clear Benefits to Users 

• Can be used to enhance any list • Applied at the Zip+4 level 

• Data can be custom modeled 

This particular company, like most companies selling consumer scores, does not 
publish its 100 sources nor its 1,500 attributes that it is using to develop the score 
for consumers’ perusal, nor does it summarize even the categories of information 
used for consumers. It is unlikely that consumers can purchase or see these scores 
for themselves,^® and like other consumer scores, this score is opaque. If ECOA fac- 
tors are present, no one but the company employees would know. 

Notably, the ECOA requires that credit scoring systems may not use race, sex, 
marital status, religion, or national origin as factors comprising the score. The law 
provides the opportunity for creditors to use age, however, also requires that seniors 
are treated equally.^^ Marital status is commonly used as a consumer score factor, 
as are other factors either directly or inferentially connected to factors that would 
be protected under ECOA but are not in broader consumer scores, even if those 
scores are being used for other eligibility decisions. 

Lack of Rights in Consumer Scoring 

After a consumer has been scored, the factors (behaviors, characteristics, etc.) that 
went into the score do not typically disappear. After the score have been recorded 
into a data broker’s host database, there is not a way for consumers to remove 
themselves from this activity. A discussion of how this impacts proxy credit scores 
is below. 

Exemplar: Modeled Credit Scores 

The privilege of marketing information based on credit report data comes with the 
requirement that consumers can opt out of that marketing. Marketing targeted to 
credit reports is strictly limited to credit and insurance.^^ But analytics are at such 
a sophisticated level now that accurate “modeled credit scores” are being created and 
used as a proxy for traditional credit scores. These modeled scores are made of con- 
sumer information drawn from beyond the traditional credit bureau score to create 


AnalyticsIQ, http:! ! analytics-iq.com ! download ! Aspects.pdf, last accessed Dec. 16, 2013. 

One exception to this is ID Analytics’ Identity Score, which consumers are able to see. 

For more information, see http: I / www.consumer.ftc.gov I articles 1 0152-how-credit-scores-af- 
fect-price-credit-and-insurance. 

22 A significant lawsuit on this issue is FTC v. Transunion which is definitive. From the press 
release: “The Federal Trade Commission has ordered the Trans Union Corporation to stop sell- 
ing consumer reports in the form of target marketing lists to marketers who lack an authorized 
purpose for receiving them under the Fair Credit Reporting Act (“FCRA”). In a unanimous opin- 
ion authored by Commissioner Mozelle W. Thompson, the FTC determined that “Trans Union’s 
target marketing lists are . . . consumer reports under the FCRA” and concluded that Trans 
Union is violating the FCRA by selling this information to target marketers who lack one of 
the “permissible purposes” enumerated under the Act. The Commission’s decision applies to a 
number of Trans Union’s target marketing list products including its Master File/Selects prod- 
ucts, its modeled products and its TransLink/reverse append products.” http:! Iwww.ftc.gov ! 
news-events / press-releases 1 2000 / 03 1 trans-unions-sale-personal-credit-infornuxtion-violates-fair. 
Full case: http: / / www.ftc.gov I enforcement / cases-and-proceedings / cases 12000 / 03 ! trans-union- 
corporation-matter. 
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an entirely new score. Because these scores contain no direct credit information, 
they are seen by some as outside of either ECOA or the FCRA. Therefore, informa- 
tion closely mimicking credit data is now being used for broad marketing purposes, 
and there is no requirement for opt out. 

A good modeled credit score predicts financial risk comparable to the traditional 
credit score. Fair Isaac’s Expansion Score draws consumer information from non-tra- 
ditional sources, that is, sources other than the big three credit bureaus. Although 
Fair Isaac does not disclose its data sources except directly to the individual con- 
sumer being scored, industry publications state that Fair Isaac is using deposit ac- 
count records and pay-day loan cashing as predictive factors in its Expansion 
Score.^^ The Expansion Score is reflated, so consumers who have an Expansion 
Score are entitled to knowing certain information about that score, including the 
factors. Fair Isaac is playing by the rules, but data broker data cards indicate that 
not all companies (or data brokers) are when it comes to inferred credit data or 
scores. 

Companies can now build score cards with very little or even no data by taking 
advantage of the new generic credit bureau scores to create a baseline of informa- 
tion. In these cases, the score card is typically monitored and evaluated closely to 
see if it is viable.^"* In this way, the equivalent of consumer credit scores that would 
be otherwise regulated under the FCRA end up being used for all sorts of purposes 
that would not be allowed had they been traditional credit scores. The end score 
could be something like a churn score, or customer loyalty score. In other situations, 
behavioral clues allow people to be targeted just as precisely as if their scores were 
known. 

People, for example, who have a low Beacon score (an Equifax credit score) and 
are subsequently turned down for the purchase of a phone, show up on a data 
broker mailing list called “Cell Phone Turndowns.”^® The data card says: “These 
consumers are ready and eager to receive offers and opportunities in the following 
categories: secured and sub-prime credit, Internet, legal and financial service, health 
insurance offers, home equity loans, money making opportunities, and pre-approved 
credit with a catalog purchase.” The Beacon score is not given — it does not need to 
be in order for data brokers to infer the credit score of these individuals. If a gener- 
alized credit score is known with certainty, as it is in this case, then why is it OK 
to then sell this information without limiting the data to FCRA constraints? 

The use of the modeled credit score is well understood by data brokers. 
DMDatabases wrote this on its website, discussing its modeled credit score: 

IMPORTANT NOTE: The Fair Credit Reporting Act (FCRA) does NOT allow 
the release of actual credit data to any party that lacks a permissible purpose, 
such as the evaluation of an application for a loan, credit, service, or employ- 
ment. Before requesting information on a credit score mailing list or credit score 
e-mail list, make sure your offer is in compliance with FCRA guidelines. For 
details on FCRA compliance requirements — CLICK HERE. 

GOOD NEWS/BAD NEWS: The bad news is that 90+ percent of offers do not 
meet the strict FCRA compliance requirements for using actual credit score 
data. The good news is that marketers have a very effective alternative . . . 
The Premier Modeled Credit Score Database. -ClACI^ HERE and read more.^® 

Experian sells ChoiceScore, a financial risk score built entirely of non-credit fac- 
tors.^'^ Experian explains in its description of the score that it is created from con- 
sumer demographic, behavioral, and geo-demographic information. One data broker 
selling a list of consumers who had been segmented by the ChoiceScore said this 
in its data card description, which can be seen in the screen shot below:^® 
ChoiceScore by Experian UnderBanked and Emerging Consumers 
ChoiceScore helps marketers identify and effectively target under-banked and 
emerging consumers. Using the most comprehensive array of non-credit data avail- 


Ann McDonald, High Points for Credit Scoring: With generic scores becoming antiquated, 
credit-scoring providers are focusing on new offerings. Collections and Credit Risk, April 1 2006, 
46 Vol. 10, No.4. 

24 LC Thomas, RW Oliver, DJ Hand, A Survey of Issues in Consumer Credit Modeling Re- 
search, The Journal of the Operational Research Society, Sept. 2005, Vol. 56, Iss. 9. 

2^ Cell Phone Turndowns Mailing List, NextMark List ID #188161. http:! j lists.nextmark.com i 
market?page=order I online I datacard&id=188161, last accessed Dec. 12, 2013. 

2® http://dmdatabases.com/databases/consumer-mailing-lists/consumer-lists-by-credit-score. 
More information about the DMDatabases modeled credit score is at http:! ! dmdatahases.com ! 
databases i specialty-lists ! modeled-credit-score-direct-mail-e-mail-list. 

22 Experian ChoiceScore, http:! j www.experian.com / marketing-services i data-digest-choicescore 
.html. 

^^http:! I datacardhub.adrearubin.com I market?page=research I datacard&id=268601. 
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able from Experian. A financial risk score (indicating the potential risk of future 
nonpayment) provides marketers with an additional tool for more precise tar- 
geting. ^9 The data card also indicated that the ChoiceScore could he used to sup- 
press some consumers from getting information. 


Datacard Hub 

Refine sea^tti | New Search Pnnt i 

CHOICESCORE BY EXPERIAN UNDER BANKED AND EMERGING CONSUMERS 

Under-banked consumers are identified as consumers that may or may not have a checkmg and savinQs account and use 
afterrtate financial services These attemate services Iridude check cashmg services, mortey orders. arxJ payday ioeris 
Emerging consumers are MentAed as cortsumers viho are r>ew to credit, either by ag e ftfes tyie events or cuttur^/genera ti onal 
bias These individutfs are typicaly undennarketad due to ther lack of credil fvs^ and use of non-tradtbonai payment 
methods 
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Manager 
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Under-Bankad Individual* 
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According to a joint KeySank arxl CFSI underbanked study, resporxlents . . c 

indicated strong interest in acqu'nng mainstream finanoal products, such 

as checking and savvigs accounts, loans and investments, and that they Consumer 

had clear financial goals, such as getting out of unproductive debt a«m 

rebuilding credit starting to save, ar>d Ie8mir>g how to use loarts to buM 

producbve assets . . k . ] 


Statistics about the underbanked: 

■ The unbanked arto underbanked spend over $10 bihion on attamate 
finanoal services products 

■ Approximately 20% of bN Afncan-Amencan and Hispanic households 
are underbanked 

■ Prepaid card uso roae 16% in 2011, and usage >$ protected to jump to 
44% in 2013 

ChotceScora hel;^ marfcatars identify and effectivety target under-banked 
af>d emerging consumers. Using the most comprehensrva array of norv 
cradlt data availaWa from Expenan. A ftoaridal risk acora (indicatng the 
potential nsk of future nonpayment) prov’des markeiars with an additional 
tool for rrKxe precise targeting. 


Thaae inrlniirlitoli are etao typicaiy uwdw>wriMlKl. andrapieaantan 
■wrf lH i t nppn ii i sTfty m arreaaprwT flm ni y irtilTperi parts 
population, eihar for aiiaeian or auppnHion Use the ChoicaScora 
custom models to target. 

■ Undermarketed new prospect segments that have not been exposed to 
direct-mail offers: 

■ IT A, secured credit, prepaid, debit and non-traditionaJ financial servica 
offenngs. 

Using the highest confidence levels/lowest nsk scores, the ChoiceScore 
models can also be used to target 

■ High-end, premium credit offers; 

■ High-end investment opportunities. 
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Based on Experian’s website, it appears that the ChoiceScore is apparently not 
available for sale to consumers. The score appears to be available for non-FCRA 
uses.^® What factors go into these and other scores? How is ChoiceScore used in eli- 
gibility decisions? The score’s factors are not defined, so it is difficult to know what 
kind of marketing data is included, if at all, in the score. It is also difficult if not 
impossible to determine how or if or when the score is being used in modern eligi- 
bility decisions. 


29 CHOICESCORE BY EXPERIAN UNDER BANKED AND EMERGING CONSUMERS, 
http:! I datacardhub.adrearubin.com I market?page=research I datacard&id=268601. 

^9 According to the data broker’s data card, two entities purchased this data: Achievecard, and 
Figi’s Incorporated. Figi’s Incorporated appears to be a food gift retailer. {http:l Iwivw 
.fbsgifts.com / about. html^figis). 
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Are credit factors bundled into any base scores? Are credit factors used for non- 
credit marketing? Are any ECOA factors in the scores? How are credit and ECOA 
factors weighted in the algorithms? We do not know. 

Modern data analytics have made child’s play of mimicking traditional credit 
scores and unearthing people who are in various credit score brackets. Congress 
acted to protect the use of this information with good reason. The change in tech- 
nologies that give us new modeled scores of great accuracy does not change the un- 
derlying principles that still need to be at work here: fairness, accuracy, trans- 
parency, and some reasonable limits in use. 

My question is this: if a modeled credit score is as good as a traditional credit 
score, shouldn’t it come under the FCRA1 I believe the answer to this is yes. Con- 
gress needs to draw a bright line around this issue in particular and ensure that 
for fairness reasons it does not get entrenched any further. I predict that when con- 
sumers learn of data broker activity in the scoring area, they will not be happy. 

Exemplar: Heath Scores 

Another category to consider is the area of health. Health scores are now in cir- 
culation, which brings concerns, not the least of which is that consumers care deeply 
about their health privacy and decisions made about them regarding their health, 
insurance policy pricing, and prescription pricing. The same questions raised above 
about transparency, secrecy, factors, and use are relevant here. Other questions 
come into play as well. For example: can employers purchase health scores? Are 
health scores shared with debt collectors? Of note in the area of health and in other 
areas is the issue that companies increasingly either 

Frailty Scores 

Regarding the Erailty Score, in 2011, a rather spectacular medical data breach 
revealed that a company called Accretive was collecting detailed and sensitive 
health information about hospital patients in Minnesota via contract with those hos- 
pitals, and then using that data to develop scores. A lawsuit revealed the extent of 
the information gathering by this company. The company was collecting the fol- 
lowing information and developing the following scores: 

• Patient’s full name 

• Gender 

• Number of dependents 

• Date of birth 

• Social Security number 

• Clinic and doctor 

• A numeric score to predict the “complexity” of the patient 

• A numeric score to predict the probability of an inpatient hospital stay 

• The dollar amount “allowed” to the provider 

• Whether the patient is in “frail condition” 

• Number of “chronic conditions” the patient has 

• Eields to denote whether the patient has: 

° Macular degeneration 

° Bipolar disorder 
° Depression 
° Diabetes 
° Glaucoma 
o HIV 

° Metabolism disorder 
° Hypertension 
° Hypothyroidism 
° Immune suppression disorder 
° Ischemic heart disease 
° Osteoporosis 
° Parkinson’s Disease 
° Asthma 
° Arthritis 
° Schizophrenia 
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° Seizure disorder 
° Renal failure 
° Low back pain 

The screenshot helow is a screenshot of a patient’s data that had been revealed 
in the breach, redacted for the lawsuit. 



One of the complaints in the lawsuit was that patients had no knowledge of this 
scoring activity. 


“Upon information and belief, the hospitals’ patient admission and medical au- 
thorization forms do not identify Accretive by name or disclose the scope and 
breadth of information that is shared with it. Upon information and belief, pa- 
tients are not aware that Accretive is developing analytical scores to rate the 
complexity of their medical condition, the likelihood they will be admitted to a 
hospital, their “frailty,” or the likelihood that they will be able to pay for serv- 
ices, among other things.” 

This was a complex case that illustrates the complex nature of what constitutes 
data broker activities. The company, Accretive, wore many hats, from debt collector 
to data analytics. Data anal 3 dics such as complex scoring is one form of data broker 
activity. However, Accretive in this case did not fit the traditional mold of data 
broker as list seller. No outsider can tell if the company is internally violating re- 
strictions in existing law. 

FICO’s Medication Adherence Score 

FICO’s Medication Adherence Score was launched in June, 2011, According to 
FICO, it is using variables from the marketing world: “. . . those variables include 
age, gender, family size and asset information — such as the likelihood of car owner- 
ship — data also used by direct marketing companies. FICO says that with only a 
patient’s name and address, it can pull the remainder of the necessary information 
from publicly available sources.” FICO states that the score is used to determine 
reminder mailings for consumers. It is unknown if the uses for the score have ex- 
panded since its introduction. Historically, prescription reminder activity has been 
controversial. Those chosen for reminders have not always not been very happy 


United States District Court, District of Minnesta. State of Minnesota vs. Accetive Health, 

Inc. 

32 Jeremy M. Simon, New medical FICO score sparks controversy, questions, Yahoo Finance, 
July 28, 2011. http: I / finance.yahoo.com I news/ New-medical-FICO-score-sparks-creditcards-1400 
6151 00. html ?x=0. 
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about it.^3 We suspect that prescription reminders are sent only to patients who 
have high-quality health plans and then only for high-priced, patent-protected 
drugs. That may be the type of information included in a score. 

General Conclusions about Consumer Scoring and Data Brokers 

I have mentioned above that the data business is changing and is becoming much 
more sophisticated. Consumer scores are a significant contributor to the change. 
Consumer scoring has substantial potential to become a major policy issue as scores 
with unknown factors and unknown uses and unknown legal constraints move into 
broader and broader use. 

Secrecy, fairness of the factors, accuracy of the models, the inclusion of sensitive 
information — these are some of the key issues that must be handled. It is exquis- 
itely unlikely that self-regulation will solve the dilemmas consumer scoring intro- 
duces. However, the path for what could constitute fair regulation in this area is 
already established via the history of the credit score. 

Solutions 

To bring fairness, accuracy, and transparency to consumers regarding data broker 
activities, a multi-prong approach which addresses multiple aspects of the problems 
needs to be pursued. 

National data broker list 

The Federal Trade Commission or the Consumer Finance Protection Bureau 
should require the industry to maintain a current list of all data brokers, with full 
identification, description, and contact information. If industry cannot provide the 
needed transparency, the agencies should create the list on their own. 

National consumer data broker opt out requirement 

There is an urgent need for a national consumer data broker opt-out requirement. 
Consumers should be able to opt out at a central portal. Data brokers should be 
allowed to download the list of those who have opted out. Data brokers would then 
be responsible for scrubbing their lists. 

The opt out needs to be standardized, and could operate like Prescreen Opt Out. 
Consumers would opt out at a central portal, consumer data brokers would be able 
to download the list of those who had opted out, then data brokers would be respon- 
sible for using this dated list to scrub their lists. 

National opt out standards: 

• No use of opt out data for marketing purposes 

• Standardized language around opt out 

• Prominent placement on home page of a button or link that says opt out 

• Notice to consumers that an opt-out request has been received and acted upon 

• Due process rights for consumers denied an opt out 

• Consequences for data brokers that do not comply 

• Opt outs for all without cost or prerequisites and with simple procedures 

Reform and oversight of affiliate marketing of consumers’ personally identifiable 
data. Affiliate marketing of consumer information creates very significant chal- 
lenges for consumers. The businesses selling the data should exercise appropriate 
and reasonable oversight. 

List brokers who are selling PII of consumers must allow consumers to see the lists 
they are on and opt out. If a consumer is on a list, why can’t the consumer be made 
aware of that? The list could be incorrect, and could have consequences if sold to 
an insurer or employer. 

The sale of lists that endanger lives or safety or wellness should be stopped. There 
are lists all of us should be able to agree should not exist. The lines can be drawn 
by regulatory agencies after consulting with consumers and industry 

No seeret eonsumer scores, no unfair factors. There should full publication of data 
elements (but not weights) used in consumer scores, and all data elements used 
must be reasonable. 

The expansion of the FCRA to include modern eligibility options. Eligiblity uses 
of data have expanded. The law may need to be expanded so that proxy credit scor- 
ing or modeled credit scoring clearly fall under the law. There should also be limits 
on the use of sensitive information in scoring and on the sale of health data in all 
contexts. In addition, data brokers should be subject to strict disposal requirements 


0!>Weld V. CVS Pharmacy Inc., No. CIV. A. 98-0897, 1999 WL 1565175 (Mass. Super. Nov. 19, 
1999), affd, Weld v. Glaxo Wellcome, Inc., 746 N.E.2d 522 (Mass. 2001). 



102 


and time limits for all data held. Fair Information Practices should be applied to 
consumer data broker practices and lists. 

Better Enforcement: Civil and in some cases criminal penalties when there is a 
breach of the law. Private rights of action for aggrieved consumers should be al- 
lowed, togegther with effective enforcement and oversight by the FTC and CFPB. 

Conclusion 

I agree that the data broker industry is complex, as is our digital world, as are 
the lives of all of us who live in this world. But that is no excuse for avoiding the 
necessary discussions that will need to take place between all stakeholders. 

In this testimony, I have said many things. It can be summed up in this way: 

Individuals should have the right to stop harmful collection and categorization 
activity and to force the permanent and immediate expungement of all data 
that is factually incorrect, data that arrives at an incorrect conclusion about 
them, or data that influences decisions about a consumer in a negative way. 

This was the idea behind the Fair Credit Reporting Act of 1974. It was a good 
idea then, and the fundamental values remain the same today. 

Thank you for your attention to these matters. I welcome your questions, and will 
be happy to provide further research or input. 

The Chairman. Thank you, Ms. Dixon. And you are exactly right; 
this is the beginning of a dialog. And we need to probe deeply, 
without fear of consequence, and then we need to do something 
about it. That will be a judgment that we will have to make, but 
you have already suggested a change in HIPAA, which is, you 
know, it used to be very sacred and still is but not in all cases. So 
I thank you for your testimony. 

Professor Joseph Turow. Now, Dr. Turow is the Associate Dean 
for Graduate Studies, the Annenberg School for Communications at 
the University of Pennsylvania. 

STATEMENT OF JOSEPH TUROW, ROBERT LEWIS SHAYON 
PROFESSOR OF COMMUNICATION, ASSOCIATE DEAN FOR 
GRADUATE STUDIES, ANNENBERG SCHOOL FOR 
COMMUNICATION, UNIVERSITY OF PENNSYLVANIA 

Mr. Turow. Thank you. Chairman Rockefeller, members of the 
Committee. 

In a bit of a different tack, I would like to address two key ques- 
tions about data brokers and their collection of information about 
Americans for marketing purposes. 

First, if we take sensitive topics like health and employment out 
of the equation, what possible harm can come from using people’s 
data for marketing purposes? After all, what we are talking about 
is simply targeting for product advertising. 

Second, haven’t data brokers and their lists been around for over 
a century? And if so, what makes them today any different from 
the past? 

Let’s start with the history question. It is true that marketers 
compiled and bought lists of prospects way back into the 19th cen- 
tury. These lists became more detailed in the 20th century. But the 
differences between the lists of even 35 years ago and those of 
today is extreme. The biggest distinction is the amount of informa- 
tion brokers have now and how they deal with it. 

Lists of the old days were pretty static. The numbers of data 
points companies had about us was rather small. It was difficult 
to interconnect pieces of data, and the data didn’t change all that 
quickly. Today, data brokers can collect huge amounts of informa- 
tion about tens of millions, even hundreds of millions of people. 
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They update that information frequently. And they use high-speed 
computers and advanced statistics to draw conclusions in ways pre- 
vious generations of data brokers could hardly imagine. 

Consider Acxiom’s recent data catalog. It contains 41 pages of in- 
formation about individual Americans that Acxiom sells to market- 
ers. That information ranges from the amount of money people 
make to the kinds of vacations they take, to the number of friends 
they have on social media, to the value of neighborhoods they live 
in, to diseases they have an interest in, to how tall they are, to 
whether they gamble, to their media uses and much more. Axiom 
sells any numb^er of these items about individuals, as well as pack- 
ages of these data, tailored to marketers from different industries. 

In addition, through its Acxiom Operating System, the data 
broker has created a kind of universal cookie to find and follow 
people across desktops, laptops, mobile phones, and tablets, as well 
as to collect yet more information about them from these media. 

Like Acxiom, other data brokers continually run programs that 
connect our dots for marketers and then attach them to other ideas 
the marketers have about us. The brokers often bring together 
pieces of information that people did not expect would be merged 
when they disclosed them separately to various online and offline 
entities. The results are buckets of descriptions and interpreta- 
tions, stories of our lives, our economic value, and our potential 
that we don’t know exist and may not agree with. 

The consequences of their use in marketing can be profound and 
disturbing. For example, merchants can charge you more than oth- 
ers for products based on features they tag you with that you don’t 
even know you have shared. Say a data broker’s knowledge you 
regularly buy antacids blends into a complex algorithm to predict 
that you are inclined to accept higher prices for recreation than 
most people. That is great news to travel companies searching on- 
line for those types of people. 

Using apps and personalized coupons, physical and virtual stores 
can change their prices based on what they know about you. Data 
brokers can add information about your lifetime value to retailers’ 
understanding of you from receipts. The results can dictate the 
kinds of items you see at discount and how much that discount will 
be. 

Negative data broker signals about you can mean having to wait 
longer than others for customer service, being rejected as a valued 
customer, and being offered coupons for non-nutritious foods. 

Based on predictions of your engagement with the digital or ad- 
dressable ads, media firms can change the news and entertainment 
offerings you receive compared to news and entertainment offerings 
your neighbor or coworkers get. The result: you systematically see 
different worlds from your friends or work colleagues because of 
the stories brokers tell about you. 

Now, many of these examples already are taking place. All of 
them are quite plausible. Data brokers trumpet that they often 
make the individuals they sell to marketers for ads anonymous so 
there is no problem. But anonymity of this sort is not reassuring. 
If I am followed online and offline by buckets of data that tell par- 
ticular stories about me, it doesn’t matter if my name is Joe Turow 
or 2588704. 
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Anonymously and with our full personal information, data bro- 
kers are encouraging a world of data-driven social discrimination 
that is becoming widespread precisely because it comes with all 
sorts of advertising. 

Surveys I have conducted since 1999 consistently suggest Ameri- 
cans worry about what firms learn and think about them. Poign- 
antly, I have heard people say they will change their activities or 
how they talk about themselves online to be treated better by mar- 
keters. The difficulty, of course, is that it is often impossible to 
know whether and how that is going to work. 

We are only at the beginning of a data-driven century. Data bro- 
kers will be central to how we think of ourselves and lead our lives. 
For the sake of democratic ideals and relationships, let’s limit what 
and how much data brokers can collect and share until, as a soci- 
ety, we know how to create regimes of data respect, where people 
have control over the most important elements of their identity. 

Thank you. 

[The prepared statement of Mr. Turow follows:] 

Prepared Statement of Joseph Turow, Robert Lewis Shayon Professor of 

Communication, Annenberg School for Communication, University of 

Pennsylvania 

I would like to address two key questions about data brokers and their collection 
of information about Americans for marketing purposes: 

First, haven’t data brokers and their lists been around for over a century and if 
so what makes today any different from the past? Second, if we take sensitive topics 
like health treatments and employment issues out of the equation — which many 
agree should be done — what possible harm can come by using people’s data for mar- 
keting purposes? After all, what we’re talking about is simply targeting for product 
advertising. 

Let’s start with the history question. It is true that marketers compiled and 
bought lists of prospects way back into the 19th century. These lists became more 
detailed into the 20th century. But the difference between list of even 35 years ago 
and those of today is extreme. The biggest distinction is the amount of information 
brokers have and how they deal with it. Lists of the old days were pretty static. 
The numbers of data points companies had about us was rather small, it was dif- 
ficult to interconnect pieces of data, and the data did not change all that quickly. 
Today’s data brokers can collect huge amounts of information about tens of millions, 
even hundreds of millions, of people. They update that information frequently, and 
they use high-speed computers and advanced statistics to draw conclusions in ways 
previous generation of data brokers could hardly imagine. 

Consider Acxiom’s recent data catalog, which was available online until the com- 
pany abruptly took it off a number of months ago. It contains 41 pages of informa- 
tion about individual Americans that Acxiom sells to marketers. That information 
ranges from the amount of money the people make, to the kinds of vacations they 
take, to the number of friends they have on social media, to the value of the neigh- 
borhoods they live in, to diseases they have an interest in, to how tall they are, to 
whether they gamble, to their media usage, and much more. Axiom sells any num- 
ber of these items about individuals as well as packages of these data tailored to 
marketers from different industries. In addition, through its Axiom Operating Sys- 
tem the data broker has created a kind of universal cookie to find and follow people 
across desktops, laptops, mobile phones, and tablets as well as to collect yet more 
information about them from these media. 

Like Acxiom, other data brokers continually run programs that connect our dots 
for marketers — and then attach them to other ideas the marketers have about us. 
The brokers often bring together pieces of information that people did not expect 
would be merged when they disclosed them separately to various online and offline 
entities. The results are buckets of descriptions and interpretations — stories — of our 
lives, our economic value, and our potential that we don’t know exist and may not 
agree with. The consequences of their use in marketing can be profound and dis- 
turbing. For example: 
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• Merchants can charge you more than others for products based on features they 
tag you with that you don’t even know you’ve shared. Say a data broker’s 
knowledge you re^larly buy antacids blends into a complex algorithm to pre- 
dict that you are inclined to accept higher prices for recreation than most peo- 
ple. That’s great news to travel companies searching online for those types of 
people. 

• Using apps and personalized coupons, physical and virtual stores can change 
their prices based on what they know about you. Data brokers can add informa- 
tion about your “lifetime value” to retailers’ understanding of you from receipts. 
The result can dictate the kinds of items you will see at discount and how much 
that discount will be. 

• Negative data broker signals about you can mean having to wait longer than 
others for customer service, being rejected as a valued customer, and being of- 
fered coupons for non-nutritious foods. 

• Based on predictions of your “engagement” with the digital or “addressable” 
ads, media firms can change the news and entertainment offerings that you re- 
ceive compared to the news and entertainment neighbors or coworkers get. The 
result: you systematically see different worlds from your friends or work col- 
leagues because of the stories brokers tell about you. 

Many of these examples are already taking place. All of them are quite plausible. 
Data brokers trumpet that they often make the individuals they sell marketers for 
ads anonymous, so there is no problem. But anonymity of this sort is not reassuring. 
If I am followed online and offline by buckets of data that tell particular stories 
about me, it doesn’t matter if my name is Joe Turow or 2588704. Anonymously and 
with our full personal information, data brokers are encouraging a world of data- 
driven social discrimination that is becoming widespread precisely because it comes 
with all sorts of advertising. Surveys I have conducted since 1999 consistently sug- 
gest Americans worry about what firms learn and think of them. Poignantly, I have 
heard people say they will change their activities or how they talk about themselves 
online to be treated better by marketers. The difficulty, of course, is that it’s often 
impossible to know what will work. 

We’re only at the beginning of a data-driven century. Data-brokers will be central 
to how we think of ourselves and lead our lives. For the sake of democratic ideals 
and relationships, let’s limit what and how much data brokers can collect and share 
until as a society we know how to create regime of data respect where people have 
control over the most important elements of their identity. 

The Chairman. Thank you very much. 

Mr. Hadley, Tony Hadley, is Experian’s Senior Vice President of 
Government Affairs and Public Policy. 

Please. We welcome you. 

STATEMENT OF TONY HADLEY, SENIOR VICE PRESIDENT OF 
GOVERNMENT AFFAIRS AND PUBLIC POLICY, EXPERIAN 

Mr. Hadley. Thank you, and good afternoon. Chairman Rocke- 
feller and members of the Committee. My name is Tony Hadley, 
and I am Experian’s Vice President of Government Affairs and 
Public Policy. 

Experian is a leading provider of data and information services 
that bring significant value to consumers and the economy. We 
welcome the Committee’s interest and dialog in the marketing data 
industry and this opportunity to describe how Experian collects 
and uses data. 

I have submitted a fuller statement, but I am going to summa- 
rize just a couple points. 

First, Experian truly believes that responsible information-shar- 
ing significantly enhances economic productivity in the United 
States and provides many benefits to consumers. Economists have 
called the manner in which U.S. companies collect and share con- 
sumer information among affiliated companies and third parties 
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the secret ingredient to our productivity, innovation, and ability to 
compete in the global marketplace. 

Experian shares data to help make consumers and small-busi- 
ness lending more efficient. We share to help facilitate access to 
fair and affordable credit; to help protect consumers from fraud, in- 
cluding identity theft; to help consumers gain greater financial lit- 
eracy; and to help companies reach consumers with timely and rel- 
evant communications and marketing offers. Marketing data, in 
particular, brings lowers prices and greater convenience to con- 
sumers by strengthening competition. 

Nonprofit organizations and government agencies also depend 
upon consumer data to efficiently serve the needs of people and 
citizens. And just as important, Experian’s data allows small com- 
panies, including many in the state of West Virginia and the other 
states around the nation, to compete with larger companies who 
maintain very sizable customer data bases. So Experian provides 
small businesses with the same data sets that their larger competi- 
tors have so that they can compete and grow their companies. 

A significant point I would like to make also is that the oper- 
ations of Experian Marketing Services and the data it collects and 
uses and shares is completely separate from Experian’s operations 
as a consumer credit bureau. No eligibility determinations relating 
to credit, insurance, employment, housing, or any other decision 
under the FCRA is ever made with Experian marketing data. 
Experian has in place strict policies as well as technological, man- 
agement, and procedural controls to ensure there is complete sepa- 
ration. 

Experian shares data responsibly by carefully safeguarding com- 
pliance with all privacy and consumer protection laws and industry 
self-regulatory standards. We even promote new industry self-regu- 
latory standards and best business practices. 

The Committee has also sought specific information about our 
clients and our data sources. Experian provides marketing data to 
a wide variety of client organizations in the private, government, 
and nonprofit sectors that market to consumers through multiple 
channels, both online and offline. The largest sectors we serve are 
retail, media, and financial services, but our products are used by 
nearly all sectors of the economy. 

Experian uses include the sources for specific products in which 
the Committee has expressed interest. Most of our data comes from 
public records and publicly available information such as ZIP-code- 
level census information, local property records, and telephone di- 
rectories. Added to this, many people voluntarily provide data to 
Experian by filling out surveys and questionnaires. 

These multiple sources of data are aggregated at the household 
level, then analyzed and modeled to predict household preferences 
and propensities. Such methods result in a group of consumers re- 
ceiving messages and advertising that they are more likely inter- 
ested in responding to. When all is said and done, we help market- 
ers make the best guess about what messages and marketing solici- 
tations a group of consumers may be most interested in responding 
to. 

Finally, I want to emphasize that Experian has made every effort 
to be forthcoming and cooperative throughout the inquiry launched 
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by the Committee this year. We have spent considerable time and 
resources to ensure that the information and documents we have 
provided are helpful to the Committee’s work in understanding the 
marketplace. To date, Experian has provided the Committee with 
eight submissions, totaling over 3,000 pages. And we believe this 
provides a full description of our products, services, and consumer 
protections. 

We are here today as the only corporate representative in that 
spirit of cooperation to help the Committee better understand our 
role in data services and the role we play in the economy and the 
lives of consumers. 

We thank you for your attention and for inviting us to appear 
here, and we look forward to continuing to work with you. And I 
will answer any questions the Committee might have. Thank you. 
[The prepared statement of Mr. Hadley follows:] 

Prepared Statement of Tony Hadley, Senior Vice President of Government 
Affairs and Public Policy, Experian 

Good afternoon. Chairman Rockefeller, Ranking Member Thune, and members of 
the Committee. My name is Tony Hadley and I am Experian’s Senior Vice President 
of Government Affairs and Public Policy. Experian is a leading provider of data and 
information services that bring significant benefits to individual consumers, the 
economy and society as a whole. We welcome the Committee’s interest in the mar- 
keting data industry and this opportunity to describe to the Committee how 
Experian obtains and uses data. I would like to raise a few key points at the outset 
of my testimony today. 

First, Experian believes responsible information sharing significantly enhances 
economic productivity in the United States and provides many benefits to con- 
sumers. Economists have called the manner in which U.S. companies collect and 
share consumer information among affiliated entities and third parties the “secret 
ingredient” to our productivity, innovation and ability to compete in the global mar- 
ketplace. One needs only to look at data-intensive industries like telecommuni- 
cations, information technology, online services, financial services, retail and health 
care to see this innovation at work. Indeed, Experian data products and services are 
central to countless transactions within these vital business sectors. 

Experian also shares data to help make consumer and small business lending 
more efficient; to help facilitate access to fair and affordable credit; to help protect 
consumers from fraud, including identity theft; to help facilitate greater financial 
literacy among consumers; and to help companies reach consumers with timely and 
relevant communications and marketing offers. 

A second significant point I would like to make is that the operations of Experian 
Marketing Services and the data that it collects, uses and shares are completely 
separate from Experian’s operations as a consumer credit bureau. No eligibility de- 
terminations relating to credit, insurance, emplo3mient, housing or other decisions 
covered by the Fair Credit Reporting Act are made with Experian marketing data. 
Experian has in place strict policies, as well as technological and procedural con- 
trols, to ensure this complete separation. 

At the Committee’s request, and in recognition that credit data differs from mar- 
keting data, Experian’s responses to the Committee’s inquiry have focused on our 
operations involving data for marketing purposes. That is what I will speak to for 
the remainder of my testimony. 

Marketing data, in particular, brings lower prices and greater convenience to con- 
sumers by strengthening competition. Both large and small businesses rely on data 
to make their marketing efforts more efficient and to identify new customers. Non- 
profit organizations and government agencies also depend upon consumer data to 
efficiently serve the needs of people and citizens and to enable e-government. For 
the Internet, this has meant providing more and improved content to consumers. 
Consumers also benefit from receiving relevant advertising offers that they are more 
likely to value and use. Marketing data is a critical driver behind the growth and 
efficiency of e-commerce. 

Importantly, Experian’s data allows small companies, including many in the state 
of West Virginia and throughout the country, to compete with larger companies that 
maintain sizeable customer data assets of their own. Experian Marketing Services 
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helps small businesses to successfully identify new customers, thereby establishing 
and fueling successful businesses. 

Experian shares data responsibly — by carefully safeguarding compliance with all 
privacy and consumer protection laws and industry self-regulatory standards, ad- 
vancing and observing industry best practices, and establishing and monitoring ad- 
herence to our own corporate policies and practices. These “best practices” help bal- 
ance the benefits to consumers that result from information sharing while respond- 
ing to legitimate concerns consumers may have about how information about them 
is collected, shared, used and protected. 

Marketing data differs in important ways from consumer credit data. Experian’s 
marketing data is drawn primarily from public records and other publicly available 
sources and includes data that is “modeled” or predicted rather than actual, raw 
data from consumers. In addition, we strive for the highest standards of data qual- 
ity. It is also important to recognize that the only negative consequence to con- 
sumers of inaccurate marketing information would be the possibility of 
uninteresting advertising and marketing. For this and other reasons, the Federal 
Trade Commission has recommended that it is not necessary to require consumer 
disclosure and correction for consumer data used only for marketing purposes. 

As described in our materials provided to the Committee, Experian has a robust 
internal compliance program designed to ensure that marketing data is only used 
for marketing purposes. Experian’s marketing data assets are regulated under many 
different authorities such as Section 5 of the Federal Trade Commission Act, the 
Controlling the Assault of Non-Solicited Pornography and Advertising (CAN-SPAM) 
Act, the National Do Not Call Registry, the Children’s Online Privacy Protection Act 
(COPPA), and comparable state laws and regulations. The Direct Marketing Asso- 
ciation’s Guidelines for Ethical Business Practice provide an additional foundation 
for our compliance approach to marketing data. Further, Experian’s global corporate 
information values — balance, accuracy, security, integrity and communication — for- 
mally guide our data collection and use practices. Our global information values 
align with the fair information practices and principles embraced by the FTC and 
other international organizations, including the OECD, the European Union and 
APEC. 

Finally, I want to emphasize that Experian has made every effort to be forth- 
coming and cooperative throughout the inquiry launched by the Committee over a 
year ago. We have consistently been assured that this inquiry aims to build a gen- 
eral understanding within the Committee of the marketing data ecosystem. We have 
also been active in policy dialogues promoting effective data security and privacy 
principles for all data. We have spent considerable time and resources to ensure 
that the information and documents we have provided are helpful to the Commit- 
tee’s work in understanding the marketplace. To date, Experian has provided the 
Committee with eight submissions totaling over three thousand pages, which we be- 
lieve should provide a full description of our products, services and consumer protec- 
tions. We have also met with the offices of the Senators on the Committee to de- 
scribe our practices and respond to any questions about our company, products and 
services. We are here today, in the spirit of cooperation, to help the Committee bet- 
ter understand the role our data services play in the economy and in the lives of 
consumers. 

The Committee has also sought specific information about our clients and our 
data sources, so I would like to provide a few details about the categories and na- 
ture of each. As I just mentioned, Experian has already provided a great deal of in- 
formation and internal documents, some of which we regard as competitively sen- 
sitive, to explain the types and categories of clients we serve. 

These include client organizations in the private, government and non-profit sec- 
tors that communicate and market to consumers through multiple channels includ- 
ing direct mail, catalog, telephone, e-mail, mobile, Internet display ads, social 
media, highway billboards, newspapers and other publications. The largest sectors 
we serve are retail, media and financial services. We also provide marketing serv- 
ices to clients involved in automotive, professional services, telecommunications, 
consumer goods, healthcare, travel, insurance, utilities, education and politics. In 
total, Experian’s data and services are used by all sectors of the economy. 

We have also provided to the Committee details on the categories of data sources 
we use, including the sources for specific products in which the Committee has ex- 
pressed interest. As I previously stated, a good deal of our data comes from public 
records and publicly available information such as ZIP-code level Census informa- 
tion that does not identify specific individuals, local property records, and telephone 
and similar directories. Added to this, many people voluntarily provide data to 
Experian by filling out surveys and questionnaires, both online and offline, which 
contain clear disclosures of the fact that information that the individual provides 
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will be used for marketing purposes. Some selected business partners also provide 
Experian consumer information after they have gained appropriate consent from the 
consumer or have de-identified or modeled customer data at the ZIP-code level. 

These multiple sources of data are often aggregated at the household level, then 
analyzed and modeled to predict household preferences and propensities. The anal- 
ysis is aimed largely at helping marketers understand key segmentation factors 
such as approximate age, gender, education level, family size and estimated family 
income. Marketers can then use these key demographic segments and propensity 
models in combination with their own customer data to tailor relevant messages to 
existing or potential customers. Such age-old methods result in a group of con- 
sumers receiving messages and advertising that they are more likely interested in 
and will respond to — benefiting the consumer and the business. When all is said and 
done, we help marketers make the “best guess” about what messages and marketing 
solicitations a group of consumer may be most interested in responding to at the 
time they are interested. 

Finally, Experian has shared materials on our range of marketing products and 
services, on how we assure the quality and integrity of our data, and on numerous 
other topics. In particular, we have informed the Committee about the robust pri- 
vacy framework that Experian has in place to ensure that regulated data is used 
only for permissible purposes, while marketing data is used only for marketing pur- 
poses. To maintain this strict division, Experian uses a combination of measures 
such as dedicated compliance teams, employee training, and contractual restrictions 
including audit rights. With respect to marketing products in particular, Experian’s 
compliance team uses auditing steps such as mail piece review and list “seeding” 
to monitor how data is used by clients. 

We have also shared with the Committee information about the consumer protec- 
tions we provide for marketing data, including offering consumers transparency 
about our practices through privacy statements and the option to suppress the use 
of their data for various types of marketing solicitations. 

Thank you for your attention, and for inviting me to appear before the Committee. 
I look forward to answering any questions the Committee may have. 

Experian Marketing Services - Major Client Categories 
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The Chairman. Thank you, Mr. Hadley, very much. 

I want to get this right: Jerry Cerasale. Did I do it right? 

Mr. Cerasale. You did it correctly. Thank you. I appreciate it. 
The Chairman. I am thrilled. 
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You are the Senior Vice President of Government Affairs for the 
Direct Marketing Association, DMA. We welcome your testimony. 

STATEMENT OF JERRY CERASALE, SENIOR VICE PRESIDENT 
OF GOVERNMENT AFFAIRS, DIRECT MARKETING ASSOCATION 

Mr. Cerasale. Thank you. Senator Rockefeller, members of the 
Committee, DMA appreciates the opportunity to be here today and 
to talk about this important subject. 

On a personal note, I want to say that I have testified before this 
committee many times, I have testified before other committees be- 
fore Congress, and today, on my last day of work before I retire, 
I want to thank Congress for the opportunities they have given me 
to participate in dialog here before the Congress. And I appreciate 
it. 

Senator Rockefeller, I will not be here when you retire at the end 
of this Congress, so I want to say personally we thank you for your 
service to the United States. 

Now back to why I am here today, talking about data. Data 

The Chairman. Are we allowed to ask you questions, or is 
your 

[Laughter.] 

Mr. Cerasale. Yes, you can ask questions. Sadly, they know 
where to find me to get the questions to me. They say I am a phone 
call away, and I have promised that they can call me. I didn’t 
promise I would answer the phone, but that is beside the point. 

[Laughter.] 

Mr. Cerasale. Anyway, data. Every consumer-facing business in 
the United States uses data today. It is important, it drives our 
economy, it is driving our current recovery. And it is very, very im- 
portant to us and to our members. 

And in that light, DMA has created the Data-Driven Marketing 
Institute, and it has commissioned a study to take a look at the 
value of data and the uses of data in the American economy. And 
we used a professor from Harvard Business School and a professor 
from Columbia University, and they conducted this value-of-data 
study and found that data is worth $156 billion a year to the Amer- 
ican economy, 675,000 jobs, and 70 percent of that influence is re- 
lated to sharing of data by companies. 

But even more importantly, this data-sharing helps small busi- 
nesses. It helps break down the barriers to entry so small busi- 
nesses can come in and compete with the big boys. And it keeps 
them, once they get a foothold, it keeps them on a level playing 
field. 

But this is not new. This has been happening for a long time. I 
will give you a couple of examples. L.L. Bean started with a list 
of nonresident Maine hunters, and that is how that started. The 
Discover card, which is one of the first credit cards that was a re- 
ward credit card, began with a list of Sears credit holders. Without 
those lists, those companies wouldn’t have started, those benefits 
from those two companies would not have been realized. So it is 
important. 

It is personal information that is used. And the United States 
has some strong privacy laws: Fair Credit Reporting Act, Children’s 
Online Privacy Protection Act, CAN-SPAM, HIPAA, GLB, Data 
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Pass, and so forth. And those laws are complemented by self-regu- 
lation by the industry. 

And I can speak only for DMA here. DMA has a peer ethics com- 
mittee that meets monthly, handles complaints from consumers 
and other businesses that are brought to it against members and 
non-members. Most of them comply with our guidelines. Those that 
don’t, we publicize them on the webpage. If t^here is a violation of 
law, we turn it over to the state AGs, to the Federal Trade Com- 
mission, to the Postal Inspection Service, to law enforcement. 

And as we have looked at this, the Federal Trade Commission 
has said that they support this complementary effort by self-regula- 
tion, and we want to continue that. And we continually at DMA up- 
date these guidelines so that they are alive and meet today’s real- 
world efforts. 

One of the things that we can talk about, however, that all of 
this is, in fact, working. The American consumers are voting with 
their pocketbooks and their feet, and e-commerce is growing, grow- 
ing multiple times the rest of the economy, because they have trust 
in this process. And think about it; they need trust. They are pur- 
chasing something without having it on hand and paying for it be- 
fore they receive it. They need to have that trust. And this econ- 
omy, this data-driven economy is, in fact, working. 

Think about the great American success story, and I mean really 
great American success story, Amazon. On Cyber Monday, it sold 
300 items per second. That shows that Americans have confidence 
in this. Their needs as American consumers are being met in this 
data-driven economy. 

There are clearly concerns. There are concerns about what is 
happening. You have heard them; it is in the report and others. We 
have heard them today. We should focus on the improper use of 
data and figure out how to prevent the improper use of data. 

But one of the things we can’t do is pull away and stop respon- 
sible uses of data that are driving this economy. That is something 
that we have to be very careful of as part of this dialog we are hav- 
ing today. The American economy, small businesses, American 
workers, and American consumers rely on and benefit from respon- 
sible data use. And America leads the world in that category, and 
we hope to keep it that way. 

Thank you very much for this opportunity. I look forward to an- 
swering any of your questions. 

[The prepared statement of Mr. Cerasale follows:] 

Prepahed Statement of Jerry Cerasale, Senior Vice President of 
Government Affairs, Direct Marketing Association 

I. Introduction 

Chairman Rockefeller, Ranking Member Thune, and members of the Committee, 
good afternoon and thank you for the opportunity to testify before you today. 

My name is Jerry Cerasale. I am the Senior Vice President of Government Affairs 
for the Direct Marketing Association (“DMA”), the world’s largest trade association 
dedicated to advancing and protecting responsible data-driven marketing. Today, I 
am pleased to testify on behalf of the DMA and to discuss with the Committee the 
important role that marketing data and database compilers play in aiding con- 
sumers and fueling the United States economy. 

Founded in 1917, the DMA (www.thedma.org) represents thousands of companies 
and nonprofit organizations that use and support data-driven marketing practices 
and techniques. On behalf of its member companies, the DMA advocates industry 
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standards for responsible marketing; promotes relevance as the key to reaching con- 
sumers with desirable offers; and provides cutting-edge research, education, and 
networking opportunities to improve results throughout the end-to-end direct mar- 
keting process. 

My testimony today will describe the value that marketing data has across the 
U.S. economy and affords to consumers. I will also explain how marketing data is 
collected and how DMA members, including data compilers, responsibly use and 
share this data to serve consumers. Lastly, I will explain how DMA and its member 
companies are subject to our longstanding and enforceable self-regulatory frame- 
work, the DMA Guidelines for Ethical Business Practice (“DMA Guidelines”). 

II. The Value of Data 

Responsible collection and sharing of marketing data is critical to today’s informa- 
tion economy. When data is used to fuel data-driven marketing, these practices pro- 
vide many benefits for job growth, entrepreneurship and innovation, as well as to 
individual consumers. 

A. The Value of Data to the U.S. Economy and American Workforce 

A recent study entitled. The Value of Data: Consequences for Insight, Innovation 
& Efficiency in the U.S. Economy (“Value of Data”), quantifies the critical role that 
the use and sharing of marketing data plays in fueling economic growth. ^ Commis- 
sioned by DMA’s Data-Driven Marketing Institute and conducted independently by 
Professors John Deighton of Harvard Business School and Peter Johnson of Colum- 
bia University, the study revealed that the Data Driven Marketing Economy 
(“DDME”) generated $156 billion in revenue to the United States economy and 
fueled more than 675,000 jobs in 2012 alone. Further, the study found that an addi- 
tional 1,038,000 people owe their employment to these DDME jobs.^ The study esti- 
mated that 70 percent of the value of the DDME — $110 billion in revenue and 
475,000 jobs nationwide — depends on the ability of firms to share data across the 
DDME. If this ability to share data were curtailed, those jobs and revenue would 
be impacted and the U.S. economy would be much less efficient. 

The DDME is a uniquely American creation, and today data-driven marketing is 
an important U.S. export. Just as the United States led the world when Mont- 
gomery Ward developed the first mail order catalog in 1872, and created digital 
market-making media by commercializing the Internet browser in the 1990s, today 
the United States is at the forefront of data-driven market growth. The Value of 
Data study found that the United States leads the world in data science applied to 
the marketplace, with DDME firms deriving up to 15 percent of their revenue over- 
seas, while employing nearly all of their workers inside the United States.® 

The Value of Data study also found that database compilers are an important 
piece of the DDME. For instance, list services and database marketing input pro- 
viders added $7 billion and 31,000 jobs to the United States economy.^ They were 
able to do this by combining data that they receive from various sources to create 
marketing opportunities. Database compilers derive most of their economic effect 
from their ability to share this data with marketers that, in turn, can provide con- 
sumers with more relevant advertisements. 

B. The Value of Data to Entrepreneurship and Innovation 

The use of data inspires new technological designs and fosters entrepreneurship 
in the process. According to the Value of Data study, the bridge between an idea 
and its implementation at scale is considerably shorter in an information economy 
than in an industrial economy.® 

The DDME, and the services offered by database compilers, are essential to the 
success of start-up companies and other small businesses. The Value of Data study 
found that the sharing of data across the DDME enables small and innovative busi- 
nesses to compete effectively with big players, launching innovative offerings using 
data. Data gives all companies, and especially small businesses, the ability to effec- 
tively match products to customers both online and offline, thereby lowering bar- 
riers to market entry for specialized or niche offerings that previously could not 
have succeeded. 


1 Deighton and Johnson, The Value of Data: Consequences for Insight, Innovation & Efficiency 
in the U.S. Economy (2013), available at http: 1 1 ddminstitute.thedma.org I #valueofdata (herein- 
after “The Value of Data”). 

^The Value of Data at 74. 

^The Value of Data at 21. 

"^The Value of Data at 53—54. 

^The Value of Data at 78. 



113 


C. The Value of Data to Individual Consumers and Companies 

Consumers demand personalization, and enterprises that know their customers 
better can also serve them better. Data-driven marketing is about discerning what 
customers want and need and engineering the company to provide it. Consumers 
benefit from companies’ responsible collection and analysis of user data by receiving 
timely and relevant offerings through the marketplace and products designed to 
meet their needs. In this way, consumers enjoy a more informed and effective shop- 
ping experience, which saves them both time and money. 

According to the Value of Data study, the efficiency that data brings to the prac- 
tice of marketing also bears directly on consumer welfare. Marketing absorbs a sig- 
nificant percentage of manufacturer revenues, meaning that marketing costs can in- 
crease the price that consumers pay for food and household products by up to $25 
in every $100 spent. When marketing is informed by data, it is more efficient and 
some of this value flows back to consumers in the form of lower prices.® 

In short, the flow of data throughout the DDME is creating consumer-driven com- 
panies. Data sharing promotes competition and entrepreneurship. In the process, 
jobs are created across the United States and consumers are exposed to an array 
of new products and services that would be unavailable or unknown to them absent 
data-driven marketing. 

III. The Responsible Collection and Use of Consumer Data 

Marketing data comes through a variety of sources. It is analyzed by marketers 
to make predictions about likely consumer preferences to guide marketing cam- 
paigns. 

A. Marketing Data Collected Directly from Consumers 

A common source of marketing data is data obtained by businesses from direct 
interaction with customers. When a customer purchases goods in a local store or 
shops online, data about that purchase is gathered by the marketer. Marketers use 
data from other sources, including information from public records and other pub- 
licly-available sources, such as U.S. Census data. Marketing data may also include 
self-reported information that consumers choose to provide through surveys. Mar- 
keting data does not include the types of information that create a risk of identity 
theft or fraud to consumers, such as financial account numbers or social security 
numbers. 

B. Responsible Uses of Marketing Data 

Marketers use marketing data to understand their existing customers better or 
to identify prospective new customers, in order to predict what types of offers are 
most likely to be valued by them. For example, a local hardware store would want 
to send a coupon for a discount on a lawnmower to a new home buyer with a lawn 
and a different coupon for paint to a condominium buyer. Data will help this small 
business to be more efficient in its advertising and provide more value to consumers. 
Marketers may also use data to make other decisions related to their businesses, 
such as what products to develop and offer in the future or where to locate new re- 
tail outlets. 

Data used for marketing is also “modeled” or inferred information that represents 
a statistical prediction about consumers and does not necessarily reflect the actual 
characteristics of one consumer or household. For example, based on public property 
records and U.S. Census data that is aggregated at the Zip Code or census tract 
level, database compilers may estimate the average age of a dwelling in a certain 
ZIP code. Marketers, such as a local roofing company, can then use this information 
to make offers that are more likely to be valuable to households in that ZIP code. 

C. Marketing Data is Not Used for Eligibility Purposes 

It is important to note that there is a difference between using data for marketing 
purposes and using data for eligibility purposes. The use of data for eligibility deci- 
sions related to credit, insurance, and employment is regulated by the Fair Credit 
Reporting Act (“FCRA”). The FCRA requires companies that make such decisions 
to offer consumers certain disclosures about, and access to, the data used to make 
those decisions. 

In contrast, the use of data for marketing purposes is not used to make decisions 
that impact whether a consumer can obtain credit. The Federal Trade Commission 
(“FTC”) agrees that entities that maintain data for marketing purposes do not need 
to provide consumers with individualized access to marketing data, unlike consumer 


The Value of Data at 75. 
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report dataJ Instead of determining a consumer’s ability to receive a loan or get 
a job, the use data for marketing purposes determines which coupon or advertise- 
ment he or she receives. The FCRA recognizes the difference in these uses, which 
is why marketing is not included in the types of activity that require increased lev- 
els of disclosure and access. 

In addition, some policymakers have raised concerns that data collected for adver- 
tising purposes could be used as a basis for employment, credit, health care treat- 
ment, or insurance eligibility decisions. In fact, these are hypothetical concerns that 
do not reflect actual business practices. Nevertheless, industry has stepped forward 
to address these concerns by expanding its codes of conduct to clarify and ensure 
that such practices are prohibited and will never occur.® This prohibition will help 
to ensure that consumers’ browsing histories will not be used against them when 
applying for a mortgage, job, or insurance, or when seeking health care. 

TV. The Value of Self-Regulation in the Data-Driven Marketing Economy 

The DMA and its members are firmly committed to advancing responsible data 
practices across the DDME. Our members deeply value consumer trust and under- 
stand that responsible data practices are critical to building and maintaining cus- 
tomer relationships. To that end, the DMA believes that self-regulation and edu- 
cation are important components for addressing consumer privacy while ensuring 
that data flows continue to benefit consumers and the economy. 

A. The DMA Guidelines for Ethical Business Practice 

The DMA has a longstanding and enforceable self-regulatory framework. The 
DMA, working with its members, implements and enforces a set of best practices 
known as the Guidelines for Ethical Business Practice (“DMA Guidelines”). The 
DMA Guidelines, which have been in place for more than four decades and are a 
condition of membership in the DMA, provide DMA member companies with stand- 
ards for responsible marketing practices by explaining how companies should pro- 
vide transparency, choices, and other protections to consumers. The DMA regularly 
updates its guidelines to adapt to new technologies and marketing practices. 

There are more than 50 code sections in the DMA Guidelines that regulate mar- 
keting data practices. I would like to focus on a few key examples relevant to the 
subject of this hearing, and to database compilers in particular. 

1. Transparency 

Transparency around data practices is a core principle of the DMA Guidelines. 
For example, privacy policies are the primary way that companies provide con- 
sumers with information about their data practices. These polices typically provide 
consumers with detailed information regarding what data is collected, how it is 
used, and the choices that may be available to consumers. The DMA Guidelines re- 
quire that these policies be made accessible via online and offline channels, and be 
easy to read and understand. The DMA Guidelines also require members to periodi- 
cally keep existing customers aware of the nature of the use of their data, and how 
that use may have changed. 

2. Choice 

DMA members have long offered consumers the ability to opt out of marketing. 
The DMA Guidelines require data-driven marketers to honor within 30 days any re- 
quest by a consumer to opt out of any use or sharing of their data for marketing 
purposes. 

In addition to the choices available from individual member companies, the DMA 
offers a centralized choice tool for consumers at DMAchoice.org. This service allows 
consumers to opt out of direct mailings and to refine what categories of mail they 
receive. Also at this website, consumers can remove their e-mail address from na- 
tional mailing lists. Through these programs, the DMA provides consumers with an 
easy way to make informed choices about the marketing they wish to receive. 

The DMA’s commitment to consumer choice also extends to online interest-based 
advertising. The DMA Guidelines require third party data collectors to provide con- 
sumers with the ability to exercise choice with respect to the collection, use and 
transfer of information for online interest-based advertising purposes. This choice 
must be provided online and made available to consumers as specified in the DMA 
Guidelines. 


"^Protecting Consumer Privacy at 65—66. 

Digital Advertising Alliance’s Self-Regulatory Principles for Multi-Site Data (2011), avail- 
able at http: / / www.aboutads. info / resource / download / Multi-Site-Data-Principles.pdf . 
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3. Access 

Consistent with the FTC’s views on individualized access to marketing databases, 
the DMA Guidelines do not require members to allow consumers to access indi- 
vidual records within marketing databases. The DMA agrees with the FTC that the 
costs of providing such access would outweigh the consumer benefits. The DMA is 
also concerned that in order to allow consumers the ability to access and correct 
data, marketers would have to collect and store additional personally identif 3 dng 
data needed to authenticate consumers prior to access. In addition, as noted, much 
marketing data is actually modeled or predicted data that would not be meaningful 
to consumers. The DMA therefore believes that its current guidelines around trans- 
parency and choice strike the correct balance between consumer control and mar- 
keting needs to encourage the continued growth and success of the DDME. 

4. Guidelines Specific to Database Compliers 

The DMA Guidelines include a section outlining specific requirements for data- 
base compilers that assemble and share personally identifiable information about 
consumers but do not have direct relationships with those consumers.® For example, 
these compilers must, when requested by a consumer, suppress that consumer’s 
data from marketing databases. They must also disclose the nature and sources of 
a consumer’s data upon request, and they must allow their marketing customers to 
divulge the compiler as the source of their marketing data. The database compiler 
must additionally monitor the use of their databases to assure compliance with the 
law and the DMA Guidelines. A database compiler that discovers a violation of the 
law or the DMA Guidelines may not “turn a blind eye” but should stop providing 
data to that customer and either require compliance and/or refer the matter to the 
DMA or law enforcement. 

B. Enforcement 

The DMA has a long history of proactive and robust enforcement. The DMA 
Guidelines have been applied to hundreds of direct marketing cases concerning de- 
ception, unfair business practices, personal information protection, and other ethics 
issues. The DMA enforces compliance with the DMA Guidelines upon both DMA 
member and nonmember organizations across the DDME. In addition, companies 
that represent to the public that they are DMA members but fail to comply with 
the DMA Guidelines may be liable for deceptive advertising under Section 5 of the 
FTC Act and comparable state laws. 

The DMA receives matters for review in a number of ways: from consumers, mem- 
ber companies, non-members, and consumer protection agencies. Complaints re- 
ferred to the DMA’s Ethics Operating Committee are reviewed against the DMA 
Guidelines and if a potential violation is found to exist, the company will be con- 
tacted, investigated, and advised on how it can come into full compliance. Most com- 
panies work with the Ethics Operating Committee voluntarily to cease or change 
the questioned practice. 

However, if a member company does not cooperate and the Ethics Operating Com- 
mittee believes there are ongoing violations of the DMA Guidelines, it can rec- 
ommend that action be taken by the Board of Directors and can make case results 
public. For example, in the period spanning February 2012 through June 2013, the 
DMA Corporate & Social Responsibility Committee reviewed 65 cases and 12 of 
these were made public. Additional Board actions could include public censure, sus- 
pension or expulsion from DMA membership. The DMA also refers cases to Federal 
and state law enforcement authorities for review when appropriate. 

C. Business and Consumer Edueation 

To help educate marketing professionals, regulators, and other interested parties 
about the DMA Guidelines, the DMA regularly issues a case report that summarizes 
questioned direct marketing promotions and how enforcement cases were adminis- 
tered, The DMA also provides member education regarding the DMA Guidelines 
through webinars, in-person seminars, and regular written communications to mem- 
bers. 

In addition to educating member companies about their responsibilities under the 
DMA Guidelines, the DMA frequently offers conferences, wehinars, courses, semi- 
nars, and written materials to keep companies up to date about new legal and policy 


® Direct Marketing Association, DMA Guidelines for Ethical Business Praetice at Article 36, 
available at httpil ! thedma.org j compliance ! . 

Direct Marketing Association, DMA Annual Ethics Compliance Report 2012-2013 (2013), 
available at http:! ! thedma.org j compliance I . 
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developments. These efforts help companies, especially small businesses, to comply 
with the host of restrictions that govern data-driven marketing. 

Finally, the DMA commits resources to educating consumers directly about mar- 
keting practices and the choices available to consumers. A section of our website is 
dedicated to “Consumer Help” and provides consumers with access to the central- 
ized DMAChoice.org tool for managing their direct mail and e-mail preferences as 
well as a wealth of information about how marketing works. 

The Value of Data has helped us to quantify what marketers have long known — 
the use and sharing of data for marketing provides tremendous benefits for the U.S. 
economy and the American workforce, for small and large businesses, and for indi- 
vidual consumers and society as a whole. 

Thank you again for inviting me to testify today, and I look forward to answering 
questions from the Committee. 

The Chairman. Thank you very much, sir. 

I will start out the questioning, and then we will do it according 
to order of arrival. 

Mr. Hadley, one of the products that your company sells to mar- 
keters is called “ChoiceScore.” This product targets what you call 
“underbanked” consumers. Let me read your description of the 
underbanked consumers: new legal immigrants, recent graduates, 
widows, those with a generation bias against the use of credit, fol- 
lowers of religions that historically have discouraged credit, and 
consumers with transitory lifestyles, such as military folks. 

Mr. Hadley, the populations in this group are very vulnerable to 
financial scams. We have experienced that in this committee be- 
cause we have done hearings about that, particularly near military 
bases, where people take — you know, these are relatively young 
people, they are overseas, they are back for a while, and they are 
very vulnerable because they need cash, and people could come in 
and really clean their clocks, and do, and we have the testimony 
to prove that. 

Last month in this committee, we held a hearing about compa- 
nies that target fraudulent financial products to our military 
servicemembers. And military personnel are unfortunately vulner- 
able to scams because of their financial inexperience and their 
steady paychecks. 

So, Mr. Hadley, why does your company single out and sell lists 
of economically vulnerable groups like immigrants, widows, and 
military personnel? 

That is a very important question to me, because if you set the 
probable response to whom your questions are aimed, your mar- 
keting is aimed at, you can fairly well predict the type of product 
they are going to get. I mean, you will be offering them a nicer va- 
cation, a less nice vacation, et cetera. But when you put people in 
categories and they are vulnerable, that is not called the L.L. Bean 
model. 

So I would like you to respond to that question. 

Mr. Hadley. Thank you. Senator. 

We would be very concerned if lenders were using that informa- 
tion for scamming purposes too. And we have processes and proce- 
dures in place to ensure that nobody gains access to that score for 
that purpose. Now 

The Chairman. And how does that work? 

Mr. Hadley. We have an onboarding system by which we take 
on a client that gets our information to know who they are. And 
we also have a mail-piece review process to know what they are 
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going to offer the consumer. And if it is anything that looks dis- 
criminatory or predatory, we will not provide our list to them. 

Now 

The Chairman. And this is your self-regulation? 

Mr. Hadley. This is our self-regulation under DMA standards. 
So if we were to violate that, we would he in violation of our self- 
regulatory standards as well as our contractual standards with our 
clients. 

Now, what is important here is that there are somewhere be- 
tween 45 million and 50 million Americans who are outside the 
mainstream of the credit markets in the United States. These are 
underbanked, underserved consumers who financial institutions 
cannot reach through credit scoring and credit report. They don’t 
have financial identities or a big enough or even the presence of 
a credit file in order to bring them into the mainstream of financial 
markets. 

But that doesn’t mean that they don’t need access to financial 
services. So banks use this data to try to reach out to consumers 
who they can help to empower them, not to scam them. We don’t 
want to do business with financial institutions who are trying to 
scam people, only to empower them. 

And this is their best way to find those individuals who are out- 
side the mainstream — immigrants; new to credit, like recent college 
graduates, exactly what we are talking about here — to give them 
an offer, an invitation to apply, so that then they can make an eli- 
gibility determination regarding that application under the Fair 
Credit Reporting Act. 

But this is marketing literature, not eligibility determination. 

The Chairman. Who 

Mr. Hadley. Did I add to that for you? 

The Chairman. Not entirely. Can you tell me, which are the com- 
panies that buy this ChoiceScore product from you? We have asked 
you that. 

Mr. Hadley. Yes, they would be banks and financial institutions 
and members of the financial community. 

The Chairman. That is what is called a general answer. 

Mr. Hadley. Yes. I can’t tell you who our clients are. That is a 
proprietary list of ours. It is like our secret ingredient; the ones 
who would want that most are our competitors. 

And our counsel has informed me that they don’t believe that our 
ability to give that to you can be shielded from disclosure through 
the rules of the Senate. If we thought they could be — for example, 
under a law enforcement action, where it could be shielded and 
protected from FOIA or other disclosures, we could do that, but not 
under the rules of the Senate. And we are very sorry about that, 
but we just simply can’t do that. Our counsel won’t let us. 

The Chairman. Oh. Well, there are a lot of counsels out there 
looking for work. 

[Laughter.] 

The Chairman. My point is that — ^you have to keep up with your 
competitors, and my point to you would be I am not necessarily ap- 
proving of what your competitors are doing. I mean, maybe you 
want to keep up with them, but maybe they are doing exactly what 
you are doing but on a larger scale. And 
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Mr. Hadley. We don’t want to keep up with most of our competi- 
tors. 

The Chairman. — a lot of those other companies, incidentally, 
gave us the precise information which I want from you. 

Mr. Hadley. I would hope that the focus of the Committee and 
FTC and others interested in these types of uses of data would 
focus on those data brokers, because it is not Experian that is 
doing that. We wouldn’t have that within our business model. 

The Chairman. All right. Can you please provide the names of 
the companies that buy lists of economically vulnerable consumers 
from Experian? 

Mr. Hadley. I can tell you the types of categories. And there is 
a really good story 

The Chairman. But don’t you understand how that doesn’t work 
up here? 

Mr. Hadley. Yes. 

The Chairman. The types of categories? 

Mr. Hadley. But let me tell you 

The Chairman. It is very hard to pass the Tax Code with 

Mr. Hadley. Yes, let me tell you who buys them, and I can name 
a few because they are public, right? 

Our Mosaic segmentation system, it reflects the entirety of the 
economic range of our economy. We don’t leave out low-income indi- 
viduals. They exist within the economy and need products and 
services, too. But the most frequent users of that segmentation, the 
economically disadvantaged. Senator, are typically government 
agencies and public policymakers who are trying to get a view into 
them so that they can deliver them messages and marketing mate- 
rials about public services they are eligible for. 

Among the users of those are the West Virginia Department of 
Health and Human Services, the Massachusetts Department of 
Health and Human Services, the New Jersey Department of Health 
and Human Services. They want to reach those people, let them 
know what benefits they are eligible for so that they can come and 
get them. They also use this data to update address lists for their 
clients. 

The Chairman. You will admit, won’t you, that if a state HHS, 
so to speak, will use that information, that is quite a different ket- 
tle of fish from a for-profit, bottom-line-oriented company? 

Mr. Hadley. And we would put the departments of HHS through 
the same review of who they are and what they want that informa- 
tion for, because we wouldn’t want them to use our information to 
disadvantage those consumers, only to empower them. So they 
would go through the same review. 

The Chairman. All right. My time has expired. And you happily 
engaged in an interesting process; you selectively named some of 
your clients. If you can selectively do it, you can broadly do it. 

Mr. Hadley. Those are a matter of public record. 

The Chairman. Well, that is the point. 

Mr. Hadley. Right. 

The Chairman. What should be a matter of public record is what 
you do. This is an oversight committee. This is a serious subject. 
We have the feeling people are getting scammed or screwed by this 
feeling. It is up to you to talk us out of that. 
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Mr. Hadley. But not by Experian. And I can assure you, Mr. 
Rockefeller, the Experian executives are watching this right now 
and they are hearing what you are saying. We respect your point 
of view. 

The Chairman. You think they are all glued to their TV sets? 

Mr. Hadley. No, to their monitors 

The Chairman. Oh, OK. 

Mr. Hadley. — right? And so we want to be responsive to you, se- 
riously. And so we look forward to the dialog. 

The Chairman. All right. Well, anyway, my time has expired. 

And Senator Booker — it is going to be Senator Booker, then Sen- 
ator Johnson, then Senator Blumenthal, then Senator Markey. 
That is just so I can hold everybody here. 

STATEMENT OF HON. CORY BOOKER, 

U.S. SENATOR FROM NEW JERSEY 

Senator Booker. Good afternoon, and thank you very much for 
your rich testimony. 

You know, the Internet now — the ability for big data to be used 
is actually a service to many consumers. It serves me every time 
I go online, every time I am shopping. 

And I love the fact that I can use this little device and things 
will be pushed to me that are very valuable. And that is how data- 
sharing helps to fuel our economy, is a service to customers. There 
are so many great advantages of it. 

I do have worries on the back end of that, which I think my 
chairman. Senator Rockefeller, is making a point, and those are the 
concerns of consumers. 

And so, just one quick question about, you know, what frustrates 
me when I am — ^you know, that I know my browser history, these 
cookies are on my computer that are sort of tracking and tracing 
what I am doing, and I understand the upside and the benefit of 
it, but that is a little problematic to me. 

Could you — Mr. Cerasale? 

Mr. Cerasale. Sure, Senator Booker. 

There is a group that DMA is part of and started, the Digital Ad- 
vertising Alliance, on the online — following where people are. And 
we have created an icon and a process to allow consumers to opt 
out, totally or selectively, for any cookies that are used to track 
their surfing, their browsing activity, across unaffiliated websites. 
And that icon is a little triangle with an 

Senator Booker. So you are saying — I am sorry to interrupt you, 
just because I have so little time. 

Mr. Cerasale. No problem. 

Senator Booker. So you are saying that the industry is trying 
to self-regulate 

Mr. Cerasale. Yes. 

Senator Booker. — and find a way because you recognize that 
this is a problem. 

Mr. Cerasale. Yes. And approximately a little over a million 
people have opted out. Over 10 million people have gone to the 
website 

Senator Booker. I am a pretty tech-savvy, X-Gen guy; I never 
heard of this. So 
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Mr. Cerasale. OK. 

Senator Booker. — that is problematic to me, just because I am 
very engaged in the world of tech. So I didn’t know there was even 
an opt-out function. And I am concerned about my — so the industry 
is trying to correct what they know is a problem, true? 

Mr. Cerasale. Right, to give consumers a choice, absolutely. 

Senator Booker. OK. 

So, Ms. Rich, I am just curious, there is so much positive here. 
I mean, the opportunity for big data to enrich our lives gets me ex- 
cited about what the future is. And so these businesses, in some 
ways, have a wonderful public purpose. But I do worry about the 
darker side in the way that my Chairman is discussing. 

And I really want to know — it is not as simple as saying more 
transparency or — it is difficult to create a regulatory framework 
that is nimble. I mean, this is such a changing environment. 

So, really, I just want to know for you, like, how are you plan- 
ning on using your 6(b) authority under the FTC Act to study and 
stay abreast of this industry and see if there are needs or opportu- 
nities, like in this one, where the industry is not correcting or self- 
regulating, where we can get them to the point where we are bal- 
ancing all of these incredible positives of big data with the obvious 
downsides? 

Ms. Rich. We think about this every day, balancing the positive 
but also protecting consumers. In this case, though, I think the 
first step is pretty simple, as there is really very little transparency 
about data brokers. And providing that transparency is pretty 
basic. It is not a technological issue. 

In more complex circumstances, the way we balance is we engage 
in a constant learning process. We do workshops, we are always 
learning about industry, we meet with consumer groups, we meet 
with business groups. And we also, in everything we do, we are al- 
ways trying to develop flexible standards. We are thinking about, 
you know, what about 20 years from now especially in the orders 
we get, will this last, will this be able to grow with innovation? And 
we make a lot of effort in that regard. 

But I do want to bring it back to — you know, we have some basic 
steps here to bring about some transparency that shouldn’t under- 
mine the data-driven economy. And, in fact, there is nothing in 
that study that DMA did that addresses how privacy would under- 
mine the data-driven economy. 

Senator Booker. Right. And because so much of what I am doing 
for free on the Internet is made free because folks are shooting ads 
at me that are targeted to my interests or needs or what have you. 
But you are saying that there is just a tremendous larger degree 
of transparency that needs to be given to the public. 

Ms. Rich. And we think that transparency — and we were talking 
about this a few minutes ago — is completely consistent with the 
growing economy. I mean, consumers are increasingly demanding 
more information about how their data is being used. When you 
give them information, they often develop more trust in the busi- 
nesses they are engaging with. And we think it is in both con- 
sumers’ interests and businesses’ interests to provide more infor- 
mation. 
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Senator Booker. I would love to hear what Mr. Hadley or Mr. 
Cerasale have, if they have any resistance to that increased trans- 
parency, but I am trying to stay on the good side of the Chairman. 
I am the new kid on the block. So I will yield. 

The Chairman. Senator Booker, you are always on the good side 
of the Chairman so you can charge right ahead, but you have 
blown that opportunity. 

[Laughter.] 

The Chairman. And so we are going to go to Senator Johnson, 
to be followed by Senator Blumenthal, Senator Markey, and the in- 
vincible Senator McCaskill. 

Senator McCaskill. Did you say invisible? 

The Chairman. Invincible. 

STATEMENT OF HON. RON JOHNSON, 

U.S. SENATOR FROM WISCONSIN 

Senator Johnson. Invincible. 

Well, thank you, Mr. Chairman. 

By the way, this is an excellent discussion, this is a very good 
hearing. I appreciate Senator Booker’s good questioning. I kind of 
want to pick up where he left off, talking a little bit about trans- 
parency, because it is a great term. 

I want to know exactly what the FTC wants to do in terms of, 
what is your fix? What is transparency to you? 

Ms. Rich. Well, in this context, what we have recommended is 
that data brokers allow consumers access to the kind of informa- 
tion that they maintain about consumers. 

Senator Johnson. How? 

Ms. Rich. Either through some sort of centralized — what we rec- 
ommended in a privacy report we did last year was either 
through — possibly through some centralized website where con- 
sumers can go. DMA has something like that for opt-out. DAA has 
developed a centralized website for online tracking. And so we have 
recommended that for data brokers. 

Senator Johnson. So what would be on this centralized informa- 
tion thing? What would be on there? 

Ms. Rich. The names of data brokers, and then you would be 
able to find out what kind of information they collect, and you 
would be able to potentially opt out of the use of their data. 

Senator Johnson. Mr. Hadley, can you tell me what that sounds 
like to you and what problems the industry would have with that 
and how restrictive that would be? 

Mr. Hadley. Well, first, we want to be responsive and be more 
transparent, although we, too, are trying to figure out what that 
means in a meanin^ul way to consumers. 

Regarding an opt-out website, here is the problem as I see it: I 
don’t know how to define “data broker.” I have never seen a defini- 
tion of “data broker” that wouldn’t sweep in tens of thousands of 
companies, because everyone exchanges data and shares data and 
sells data within the Internet ecosystem. That is how the business 
model of the Internet is. 

So would we have a website with an entire industry on it? And 
how would that really be meaningful to a consumer if you throw 
that many companies up? Of course Experian would be on that, but 
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so would 10,000 other companies. That is not a meaningful way of 
providing transparency. 

Instead, what we are trying to explore is how can we make the 
exchange and sharing of information responsibly more meaningful 
to consumers. And we think one of the steps could be working with 
the users of data brokers 

Senator Johnson. OK. Well, let me stop you, because I have lim- 
ited time. 

With mailing lists, for example, you get a one-time use. And I 
was trying to follow what you are talking about, because it sounds 
like you have a system where you are making sure that this mate- 
rial is not misused, because that is the real problem. The violation 
is the misuse, the improper use of the information. 

For every time you sell data, is that restricted to a one-time use 
that you already have determined is not a misuse? 

Mr. Hadley. It is 

Senator Johnson. Or do you sell the data and they can use it 
for years? 

Mr. Hadley. No. It is sold pursuant to a contract, in some cases 
one time, in some cases as a license over numerous times. But we 
always have audit procedures in all of those situations to know 
how they are using that data and what they are using it for. And 
it is strictly limited to marketing purposes. 

Senator Johnson. The information, you are saying it is, you 
know, from public records, sometimes surveys. But is it also from 
those cookies, and are you also getting it from all the other Inter- 
net applications? And do you have agreements with different people 
that gather all these cookies? I mean, is it a much larger data- 
gathering than what we were kind of talking about earlier? 

Mr. Hadley. We do collect information online in that realm, but 
it is all aggregated, anonymized data. There is no personally identi- 
fiable information attached to it. 

So, for example, we might be able to know what type of consumer 
is visiting X website versus another website so that we can share 
that in competitive intelligence for the industry. So Macy’s might 
want to know what Nordstrom shoppers look like, in the aggregate, 
de-identified, so they can compete against one another and vice 
versa. 

Senator Johnson. Mr. Cerasale, again, as Senator Booker talked 
about, there are incredible benefits by people using the Internet, 
and of course we always take a look at, do you agree to use this 
website? And I would say most people just say, yes, I want to use 
this website, hit “agree”; they don’t really read the, what, 300 
pages of all the information saying, hey, we are going to share this 
information. If you want to use this phenomenal, free application, 
you are subjecting yourself to a certain lack of privacy. 

How do you get — is there any way of getting around that? 

Mr. Cerasale. There is. I think that icon I was expressing to 
Senator Booker is an easy — it says “AdChoices,” and I can click on 
it; it tells you about what is happening of following your web 
browsing across websites. And then there is a link right to 
AboutAds.info, a website where you can opt out. That type of — is 
how we are looking at it. 
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We have worked with NTIA in looking at mobile apps and the 
small screen, and how do you let people know what type of infor- 
mation you are collecting. So we need quick links from 

Senator Johnson. So, like, on a do-not-call list, can it he one 
time and you are covered? Or is this application after application 
after application? 

Mr. Cerasale. On the DAA, it is one time and you are covered, 
and it probably affects about 96 percent of the targeted ads and so 
forth. That many people have signed up for it, so it is pretty close. 

Senator Johnson. And that icon is located where? 

Mr. Cerasale. That icon is usually located right around the ad 
that is targeted. And we have contracts with Canada, with EU. We 
are working on Australia, starting with Latin America, to try to 
make that icon worldwide. 

Senator Johnson. OK. Thank you. 

Thank you, Mr. Chairman. 

The Chairman. Thank you. And that was good questioning. 

Senator Blumenthal? 

STATEMENT OF HON. RICHARD BLUMENTHAL, 

U.S. SENATOR FROM CONNECTICUT 

Senator Blumenthal. Thank you, Mr. Chairman. And thank you 
for having this hearing. Thank you for pursuing this profoundly 
important issue with such far-ranging consequences for both good 
and ill in our society. 

And thank you to the staff for this truly remarkable study. For 
anyone who doubts how to define a data broker, I recommend the 
report, “A Review of the Data Broker Industry: Collection, Use, and 
Sale of Consumer Data for Marketing Purposes.” There is now an 
industry involved in this very far-reaching and far-ranging collec- 
tion, use, and marketing of data. 

And one of the ironies is that almost every day in the headlines 
and in the news we read about what the NSA is doing in the collec- 
tion and use of data about citizens in this country who are pro- 
tected by the Fourth Amendment. One of our justices once defined 
the right of privacy as the right to be left alone. Obviously, con- 
sumers do not have that same right against this industry because 
it is not the government. And yet their privacy interests may be 
just as much at risk and abused as they are by the government. 

And that is really what brings us here today, not only the vast 
potential for good but also the downsides and the dark side and the 
danger of the collection and use. 

And I, quite honestly, did not expect anybody to come here today 
and say, we are using this data to exploit people. You know, I am 
not the naive. But I think you need to recognize that others could 
use it for that purpose. And all you need to do is turn to page 24 
of this report and see the categories that are sometimes used for 
marketing purposes. 

And let me give you two very concrete examples of why I think 
that people ought not to be compelled to surrender personal privacy 
as the price of admission for the use of the Internet. And that is 
really what we are talking about, the sacrifice of privacy as the 
price of admission to the Internet. 
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In December 2012, the Wall Street Journal ran a story entitled, 
“Websites Vary Prices, Deals Based on Users’ Information.” And it 
stated, in part, quoting, “Websites are adopting techniques to glean 
information about visitors to their sites in real-time and then de- 
liver different versions of the web to different people. Prices 
change, products get swapped, wording is modified, and there is lit- 
tle way for the typical website user to spot it when it happens.” 

So if you prefer Hilton hotels over Marriott hotels and the wrong 
company gets its hands on that information, you could be charged 
more for staying at one hotel or another than a person just walking 
in off the street. 

Now, I assume, Mr. Hadley, that you would join me in feeling 
that such marketing practices and pricing practices would be offen- 
sive and should be made illegal, perhaps. 

Mr. Hadley. I would agree with you that that shouldn’t be hap- 
pening. And Experian is not involved in dynamic 

Senator Blumenthal. I am not asking you about Experian. I am 
not expecting that you will tell us that Experian is involved in 
these kinds of 

Mr. Hadley. But dynamic pricing does exist. All you have to do 
is look at the hotel and airline industry, and they have variable 
pricing. 

We don’t provide products and services to allow them to under- 
take that dynamic pricing. That is their choice, because they are 
marketing their product or service. 

Senator Blumenthal. Do you think it is fair to the consumer? 

Mr. Hadley. I wouldn’t want it to happen to me, but I know that 
it does. If I go to Las Vegas and there is a 

Senator Blumenthal. Well, the fact that it does is why we are 
here today, right? 

Mr. Hadley. I am not sure that it is illegal. It is just a factor 
of 

Senator Blumenthal. Let me ask you, Mr. Cerasale 

Mr. Hadley. — the economics, right? 

Senator Blumenthal. I am not asking you for your legal opinion. 

Mr. Cerasale, what do you think about that practice? 

Mr. Cerasale. Dynamic pricing and changes in pricing are there 
all the time, and you have — frequent flyers get different prices. 
Grocery stores, people who have the card have different prices. It 
is part of where we are today. 

I think if it is discriminatory and so forth, you look at it. It goes 
back to what I said. You want to look at use, not the data itself 
or the collection of it, but use. If there is an improper use 

Senator Blumenthal. Well, you would agree with me that dis- 
criminatory pricing that charges people more because they are re- 
garded as more vulnerable, and without their knowing it, would be, 
at best, unethical? 

Mr. Cerasale. Yes — I — yes. And I believe there are laws 

Senator Blumenthal. Let me ask you another question. 

Mr. Cerasale. — on that, as well. 

Senator Blumenthal. And I am rushed for time. I am going to 
use my last 4 seconds to ask you a question 

Mr. Cerasale. Sure. 
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Senator Blumenthal. — about a second area where I think dis- 
crimination, the prospect of discrimination and exploitation is 
raised. And that is in terms of job postings and screening of job ap- 
plicants. 

I don’t need to tell anybody in this building about the dev- 
astating impact of long-term unemployment in this country. And I 
have joined Senator Warren in a bill that would prohibit the use 
of credit scores of job seekers in a discriminatory way during the 
hiring process. 

Let me ask you whether an employer could buy information from 
your company, Mr. Hadley, for example, and use it to target job 
postings in a way that discriminates against certain job applicants, 
using the information that might be obtainable from your company. 

Mr. Hadley. Marketing data cannot be used for employment 
screening and job eligibility. That is a case under the Fair Credit 
Reporting Act. So they would have to obtain a credit report, and 
all of the consumer rights would accrue to that marketing 

Senator Blumenthal. Well, let me ask you, what would prevent 
an employer from asking for information from your company and 
then, on its own, using it in a discriminatory way? 

Mr. Hadley. We would know who that company is and why they 
were asking us for marketing information. 

Senator Blumenthal. And you would 

Mr. Hadley. And we would know what 

Senator Blumenthal. — refuse to sell to them? 

Mr. Hadley. — they were going to use it for, and we would forbid 
them in our contract with them from using it for any purpose 
under the Fair Credit Reporting Act, including employment pur- 
poses. 

Senator Blumenthal. If it is a violation of the Fair Credit Re- 
porting Act. What if they said to you it is not a violation? 

Mr. Hadley. We would disagree with them, and we wouldn’t give 
them the 

Senator Blumenthal. Is that true of other companies in your in- 
dustry? 

Mr. Hadley. I think it is a pretty standard practice among those 
that belong to DMA and practice good standards. 

I can’t vouch for all of them, but it certainly is with Experian. 
We know the bright line between those. 

Mr. Cerasale. It would violate our 

Senator Blumenthal. Your company does, but from the informa- 
tion that has been provided to my office, not all companies do. Do 
you 

Mr. Hadley. Then it is a violation of law, and the FTC should 
take action against those companies. 

Mr. Cerasale. It is unethical, it violates our guidelines to use 
marketing data 

Senator Blumenthal. It is unethical, it violates your guidelines, 
but maybe the law 

Mr. Cerasale. That is correct. 

Senator Blumenthal. — ought to be clarified so that everybody 
understands it is illegal. 



126 


Mr. Chairman, I apologize for exceeding my time. I tried to move 
as quickly — I want to apologize to the witnesses for perhaps inter- 
rupting you. 

Unlike Senator Booker, although I am still a new guy on the 
block, I didn’t say at the outset I was going to stop when I should 
have. So 

The Chairman. Well 

Senator Blumenthal. — I know I am on your bad side now. 

The Chairman. No, you are not on my bad side, but, you know, 
you are clearly just sort of settling into this role of being a licensed 
lawyer. 

[Laughter.] 

The Chairman. He was attorney general for 29 years. 

Senator Blumenthal. I am a recovering lawyer. 

[Laughter.] 

The Chairman. Yes. 

Senator Blumenthal. I apologize, Mr. Chairman, and 

The Chairman. No. 

Senator Blumenthal. — thank you. 

The Chairman. Senator Booker will learn from you. 

[Laughter.] 

The Chairman. Senator Markey? 

STATEMENT OF HON. EDWARD MARKEY, 

U.S. SENATOR FROM MASSACHUSETTS 

Senator Markey. Thank you, Mr. Chairman, very much. 

So the bottom line is that there are digital dossiers being col- 
lected on every American right now by the companies represented 
at this table. And there is a lot of promise from that: services that 
can be provided. There is a lot of peril from that: the compromise 
of the privacy and the most intimate secrets of families that can 
go out and on sale across the country and across the world. 

And the bottom line is no company should be allowed to do that. 
If the individual doesn’t want that information compromised, they 
should have a right to be able to control that data. And no com- 
pany should be allowed to play fast and loose with the information 
which they have gathered about Americans. 

So I had a caucus meeting over on the House side last year, and 
we had some of the gentlemen here today over there for that. And 
we began to talk about propensity scores — propensity scores. And 
that is a practice of attaching a propensity score to individuals, 
hundreds of thousands, millions of Americans. And the scores are 
created without the consumers’ knowledge, without the consumers’ 
consent. 

And then they become the basis for targeting offers, benefits, 
products to certain consumers. And as a result of these e-scores, 
high-value prospects may receive marketing details and discounts 
regularly, but others may not. They may be dismissed as low-value 
people, characterized as “waste” in industry slang. 

So, Ms. Dixon, what are the dangers attached to an industry that 
engages in those kinds of practices, in terms of its impact upon 
tens of millions of Americans? 

Ms. Ddcon. The real problem with the propensity scores and the 
propensity values that are attached to consumers is that, unlike a 
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credit score that would be pulled, that would be covered under the 
Fair Credit Reporting Act, but these scores are not covered under 
the Fair Credit Reporting Act. 

If they are health scores, they are not covered under HIPAA, 
they are not being held by a healthcare provider. 

So, therefore, you can be tagged with these characteristics, and 
these characteristics are not under any regulation. There is no law 
that says that an employer cannot use these to determine job eligi- 
bility. There is no law that says that an insurer cannot use these 
scores to determine rates, because these are not regulated scores. 
So the propensity scores are of great concern. 

And, of course, consumers do not have the opportunity to learn 
about these scores. These are secret scores. And consumers do not 
have the opportunity to opt out of this, as they would if the scores 
were covered under the Fair Credit Reporting Act. 

Senator Markey. Great. 

So we have to do something about that, Mr. Chairman. You 
know, we are hearing language about, well, that might not be ille- 
gal, so we can actually pass a law and make it illegal. So that is 
what this committee is all about. 

And now let me go back to you again, Ms. Dixon. Thank you for 
that. 

We know that data brokers categorize people into market seg- 
ments, so-called “suffering seniors,” “burdened by debt,” singles,” 
“credit crunch,” “city families.” And these are the real labels that 
actual data brokers use to describe all these different segments out 
there as they are trying to decide who they are going to be talking 
to. 

But that categorization can cause real economic harm, including 
profiling, redlining, and racial discrimination. And, in fact, there is 
actually a term for it: not redlining, but “web-lining.” We are just 
going to use the web to kind of segment people out. They are in 
the wrong income group, the wrong racial group, the wrong sex, the 
wrong whatever. And they just can do it. And there probably aren’t 
enough laws on the books to protect people against that. 

Ms. Dixon, can you talk about that and what the need is to fill 
in that vacuum, as well? 

Ms. Dixon. There is an interesting situation that is going on. 
And, interestingly enough, the DMA report came to the conclusion 
that offline information and online information are now thoroughly 
merged. And as a result, web-lining is real-life-lining, as well, so 
what happens on the web now happens in real life. 

So if there is a discriminatory problem there, we are going to be 
experiencing it elsewhere. It is a circular process now. We can’t 
just go online and block our cookies. 

Any reasonable consumer who is shredding their Social Security 
number, blocking cookies, and surfing the web responsibly, they 
can still not evade being put on a list of data brokers according to 
their health condition. 

Senator Markey. So let’s go to that line, that kind of blurry line 
that has been allowed to be created, and what the consequences 
are for consumers, kind of that line between credit reporting agen- 
cies and data brokers that market financial products. That is an at- 
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mosphere of ambiguity, and some fraudsters could do some real 
harm to people, huh? 

So if you could talk about that a little bit, Ms. Dixon. 

Ms. Dixon. So the pseudo credit scores, or pseudo scores, they 
are made up of about 1,500 factors. They are all non-credit-file fac- 
tors, so they don’t fall under the Reporting Act. They can include 
factors that would be prohibited under the Equal Credit Oppor- 
tunity Act. This is troubling, deeply troubling. 

So we don’t know everything that goes into these scores. We need 
to. We need to know how the scores are being used, and we cer- 
tainly don’t want these scores being used to target underserved 
Americans with predatory offers. 

Senator Markey. And let’s just move on to the next category. 
You know, we can talk about the sale of lists of people with par- 
ticular diseases, huh? And just kind of circulate those lists around 
to people, just so that, you know, marketers know who not to even 
get anywhere near, huh? I am going to get all the people with these 
different diseases that we have been able to compile and just make 
a list of it and make sure they are over here and they are walled 
off. 

Talk a little bit about that and what that means for our country. 

Ms. Dixon. I was stunned, in doing my research, when I found 
lists of people who were rape sufferers, people who were genetic 
disease sufferers, people who were victims of domestic violence. 
This was deeply troubling to me, and I was just shocked. 

So what is happening is that through survey instruments that 
are operated online and through other methods that are typically 
consumer-generated, people will volunteer this information to 
websites, thinking they are getting help, you know, from a website, 
and they will volunteer. And they have no idea that this informa- 
tion is going to be attached to not just a cookie but their name, 
their home address, their phone number. 

Senator Markey. And I am a lawyer but I have never had any 
clients, so I am going to be careful in how I rule here. But it just 
seems to me that it is kind of, on its face, a violation of Section 
5 of the Federal Trade Commission Act, violation of unfair and de- 
ceptive practices. 

So, Ms. Rich, back over there at that Federal Trade Commission, 
what can you do about this? 

Ms. Rich. I think — well, for all of these scenarios that you de- 
scribed, especially the particularly disturbing ones involving dis- 
crimination, we would obviously, if we had specific targets we were 
looking at, take a close look to see if it did violate the Fair Credit 
Reporting Act or the FTC Act. We wouldn’t give up on that. 

But one thing I want to say about — you know, our laws are lim- 
ited, as I mentioned in my opening statement. For the Fair Credit 
Reporting Act to apply, the data has to be collected and used for 
certain purposes. And the FTC Act allows us to go after deceptive 
practices, meaning affirmative false statements or omissions need 
to be made, or unfair practices, and we have a lot of hoops to jump 
through to prove those. 

But there is nothing in our laws that would require the entities 
amassing those lists to tell consumers about it or to allow them ac- 
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cess to the data they have on them. Those are the limitations of 
our laws. 

Senator Markey. Yes. Thank you. And, again, there is nothing 
like a little Section 5 action, you know? But when you are saying 
it is even heyond the penumbra of that, then we have a real issue 
here. 

And it is a real invitation for us to act, Mr. Chairman, so that, 
you know, we put on the books the 

The Chairman. I am going to act 

Senator Markey. — actual specific language. Excuse me? 

The Chairman. — since you have just gone through your second 
round of questions. 

[Laughter.] 

Senator Markey. No, I know that, Mr. Chairman. I have now 
taken your graciousness, your beneficence, and I have stretched it, 
you know, to a point that 

The Chairman. Claire McCaskill is very unhappy. But she is 
going to be even more 

Senator McCaskill. No, I am not. 

The Chairman. — even more unhappy when I call on Senator 
Thune, who 

Senator McCaskill. I am not unhappy at all. 

The Chairman. — he and I were the first two to come. 

And then you. 

STATEMENT OF HON. CLAIRE McCASKILL, 

U.S. SENATOR FROM MISSOURI 

Senator McCaskill. No, I think it is terrific to have Senator 
Markey on this committee. And he obviously has worked on this 
issue in the House, and I think we will all benefit from the amount 
of time and effort he has spent at it. 

I want to try to home in on a couple of things. 

The case, Mr. Hadley, of Experian and Superget. You purchased 
the company Court Ventures in 2012, in the spring of 2012. For 
more than a year after the time you purchased this company that 
had all this data, you were taking monthly wire transfers from 
Singapore, and your company did nothing. And as it turns out, 
those wire transfers were coming from a man in Vietnam who spe- 
cialized in identity theft and was marketing the information that 
you owned to criminals to ruin people’s lives. 

So my first question to you is, you were quoted as saying, “We 
would know who was buying this.” You were getting wire transfers 
from Singapore on a monthly basis, and no one bothered to check 
to see who that was? 

Mr. Hadley. Now, I want to be clear that this was not Experian 
marketing data; this was Experian authentication data. So it is 
under a different company, a different use. So I just want you to 
know that it is not part 

Senator McCaskill. I don’t understand the distinction. 

The Chairman. Nor do I. 

Senator McCaskill. I think it is a distinction without a dif- 
ference. I believe it was data that you owned, Experian owned. You 
had purchased this data from Court Ventures, and they had, in 
fact 
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Mr. Hadley. No. Let me clarify. 

Senator McCaskill. — sold it to someone else. 

Mr. Hadley. Yes, let me clarify that for you, because we have 
provided a full response to that question to the Committee, and it 
is part of the eight submissions that we have given. 

And I do have to say that it is an unfortunate situation. And the 
incident is still under investigation by law enforcement agencies, so 
I am really extremely limited in what I can say publicly about it, 
but I do want to say this. 

The suspect in the case obtained data controlled by a third 
party — that was U.S. Info Search, that was not an Experian com- 
pany — through a company we bought. Court Ventures 

Senator McCaskill. OK. Let me 

Mr. Hadley. — prior to the time that we acquired that company. 
And to be clear, no Experian data was ever accessed in that deal. 

Senator McCaskill. I understand what you are saying. Here is 
what happened. You had U.S. Info Search 

Mr. Hadley. No, we did not 

Senator McCaskill. No, no, I am — U.S. Info Search existed, and 
Court Ventures existed. They decided 

Mr. Hadley. And they had a partnership. 

Senator McCaskill. — for commercial reasons, to make more 
money, to combine their information. And so they had a sharing 
agreement, those two companies, correct? 

Mr. Hadley. Right. 

Senator McCaskill. OK. So these two companies had a sharing 
agreement. Then you bought one of those companies. 

Mr. Hadley. Court Ventures. 

Senator McCaskill. Correct. So now you owned it. Now you 
stood in their place. Are you a lawyer? 

Mr. Hadley. I am not a lawyer, but I understand we stood in 
their place, right. 

Senator McCaskill. Are there any lawyers on the panel? 

OK. She will back me up. 

[Laughter.] 

Senator McCaskill. You stand in their place when you buy this. 
So now you are there. 

Now, you said in your earlier testimony, we would know who was 
buying this. So you now are part of their transactions. 

Mr. Hadley. During 

Senator McCaskill. And you were receiving the benefit of these 
monthly wires. 

Mr. Hadley. So, during the due diligence process, we didn’t have 
total access to all the information we needed in order to completely 
vet that. And by the time we learned about the malfeasance, I 
think 9 months had expired. The Secret Service came to us, told 
us of the incident, and we immediately began cooperating with the 
Secret Service to bring this person to justice. 

Senator McCaskill. OK. 

Mr. Hadley. And we are continuing to cooperate with law en- 
forcement in that realm. This was — we were a victim and scammed 
by this person. 

Senator McCaskill. Well, I would say the people who had all 
their identity stolen were the 
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Mr. Hadley. And we know who they are, and we are going to 
make sure that they are protected. There has heen no allegation 
that any harm has come, thankfully, in this scam. 

[The Committee received the following letter regarding Mr. Had- 
ley’s previous statement. The author of the letter requested that 
the statement he removed from this hearing record.] 

Venable LLP 

Washington, DC, March 18, 2014 

Via e-mail: 


Peter Curtin 

U.S. Senate Committee on Commerce, Science, and Transportation 
254 Russell Senate Office Building 
Washington, DC. 

Re: Correction to Transcript on Hearing Titled, “What Information Do Data Brokers 
Have on Consumers, and How Do They Use It?” 

Dear Mr. Curtin, 

Lines 12-14 in the attached document are crossed out. In reviewing the testi- 
mony, we checked with the Experian lawyers that are directly involved in handling 
this matter, and they have indicated that these lines are not accurate. In actuality, 
Experian does not know the identities of the individuals as the data was owned and 
controlled by U.S. Infosearch. 

Sincerely, 

Stuart Ingis, 

Venable LLP. 


Senator McCaskill. OK. 

Mr. Hadley. And we have closed that down, and 

The Chairman. Let Senator McCaskill 

Mr. Hadley. — we have modified our process 

The Chairman. Let Senator McCaskill continue. 

Senator McCaskill. OK. So let’s talk about that process. This 
person who got this man who they lured to Guam to arrest and 
who is now facing criminal charges in New Hampshire, they posed 
as an American-based private investigator. 

What is your vetting process when people want to buy your stuff? 

Mr. Hadley. That would have been Court Ventures who would 
have vetted that prior to our 

Senator McCaskill. OK, but I am talking about now, you. What 
is your vetting process? 

Mr. Hadley. Right now, before we would allow access — first, let 
me say that that person would have not gained access to Experian 
or this data if they had gone through our vetting processes prior 
to the acquisition. 

Senator McCaskill. And what would have stopped him? 

Mr. Hadley. We would have known who that company is. We 
would have had a physical onsite inspection of that company. We 
would have known who that business is and what that business’s 
record is. We would have known exactly why they wanted that 
data and for what purposes. And that would have been enshrined 
in our contract. And we would have known the kinds of systems 
they have in place to protect the data that they gained. 

Those are all incumbent upon us under the Gramm-Leach-Bliley 
Act and the FCRA. 

Senator McCaskill. Well, listen, I understand that this was not 
a crime that began under your watch. 

Mr. Hadley. Thank you. 
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Senator McCaskill. But you did buy the company, and you did 
keep getting the wire transfers from Singapore. And the only rea- 
son you ever questioned them is because the Secret Service 
knocked on your door. I don’t know how long those wire transfers 
from Singapore would have gone on until you caught them. I don’t 
have confidence that it would have stopped at all. 

So I guess what my point is here, I maybe do not feel as strongly 
as others on this panel that behavioral marketing is evil. I believe 
behavioral marketing is a reality, and, frankly, the only reason we 
have everything we have on the Internet for free is because of be- 
havioral marketing. So I don’t see behavioral marketing as an evil 
unto itself 

What I do see is some desperate need for Congress to look at how 
consumers can get this information, what kind of transparency is 
there, and whether or not companies that allow monthly wire 
transfers into their coffers from Singapore from a criminal who is 
trying to rip off identity theft, whether or not they should be held 
liable for no due diligence on checking those wire transfers from 
Singapore until the Secret Service knocked on their door. 

And that is what I think we need to be looking at. And I don’t 
think there is enough — I mean, I know that some of my friends on 
the other side of the aisle, you say trial lawyers, and they break 
out in a sweat. But the truth is that if there were some liability 
in this area, it would be amazing how fast people could clean up 
their act. And, unfortunately, in too many instances there is not 
clear liability because we haven’t set the rules of the road. 

So I didn’t mean to pick on you, Mr. Hadley, but this is a great 
example. And you are not a fly-by-night company. 

Mr. Hadley. No, we are not. 

Senator McCaskill. If this is happening under your watch, can 
you imagine what is going on with companies that are not as estab- 
lished as yours? I think it is 

Mr. Hadley. Cybersecurity is a huge problem. 

Senator McCaskill. It is serious and significant, and we need to 
look at it. 

Thank you all very much. 

The Chairman. Thank you. Senator McCaskill. 

Senator Thune, to be followed by Senator Fischer. 

Senator Thune. Thank you, Mr. Chairman. 

Mr. Hadley, one of the big users of your service is the Federal 
Government, correct? 

Mr. Hadley. Yes. 

Senator Thune. OK. Are there some areas in which you can 
identify how the Federal Government uses your services? 

Mr. Hadley. Certainly. 

The biggest users of Experian data in the Government are the 
Department of Health and Human Services. Right now, we operate 
on HealthCare.gov to authenticate the identities of individuals 
signing up for health care to make sure that fraud is eliminated 
on that, to make sure that Tony is getting an account, establishing 
the account, and not an imposter in his name. 

We also have a contract with the Social Security Administration 
as they move persons for online accounts from paper-based ac- 
counts. We all get our Social Security statement in the mail; they 
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want people to move online to get those. So we authenticate indi- 
viduals to have online accounts with the Social Security Adminis- 
tration. 

We, too, believe that HHS could be a good user of our marketing 
data, particularly in the lower economic echelons, to reach out to 
people to see if they are eligible for health care and try to deter- 
mine how to market that process to them. They haven’t done that 
yet, but the state agencies are far ahead of them in that way, of 
using these economic segments to reach out and inform consumers 
of benefits that are available to them. 

Senator Thune. So for purposes of Obamacare implementation, 
they are using you to authenticate people who are applying but 
not, at this moment, to market, the Federal Government. The 
state 

Mr. Hadley. That is exactly right. 

Senator Thune. — exchanges are. 

Mr. Hadley. Right. 

Senator Thune. OK. 

Some have concerns about the profiles that data brokers compile 
on consumers, that they will have a long-lasting impact and put 
these consumers at a disadvantage, especially if that information 
is incorrect. And I would like to have you respond to that incorrect- 
information issue or concern. 

Mr. Hadley. Yes. Our data is highly accurate. It comes from 
very reputable sources. We know what sources they are, and we 
check those sources to make sure of the integrity of that data. 

Marketing profiles are not static. This is very important. They 
change. When I was a young man with young children, I used to 
get a lot of ads for diapers. Then my sons grew up, and I got solici- 
tations and they got solicitations for college. Soon, I got solicita- 
tions for home equity loans because they knew that I might want 
to finance my sons’ college education. Now I am getting solicita- 
tions for retirement planning and for vacations. So my marketing 
profile has changed with my age and my family status and my in- 
terests that I have expressed to data brokers. 

I want to make one point that is very clear here, with health in- 
formation. Experian has health information from consumers, but 
only — only — on an opt-in basis, if they have said and clearly opted 
into telling us what their ailments are and saying, I am an arthri- 
tis sufferer, I want to know about new products and services com- 
ing onto the market to help me; or I suffer from migraines. 

These are not used, though, never used, for healthcare eligibility. 
They are used so that consumer product companies can offer solici- 
tations and coupons for over-the-counter drugs, for the most part. 

Senator Thune. Yes. 

Mr. Hadley. So it is always opt-in with health for Experian, 
clear and conspicuous opt-in. 

Senator Thune. Mr. Cerasale, there have also been concerns 
raised that consumers should not only have the ability to see what 
information is collected about them for marketing purposes but 
also have the ability to correct it. And I am wondering what your 
thoughts are on that. 

Mr. Cerasale. On first look, that sounds like a great idea. How- 
ever, as you delve deeper into it, as you look at access and then 



134 


correction for marketing data — this is data that, as Mr. Hadley has 
said, is not used for eligibility purposes. But as you look into access 
to marketing data, it requires you to authenticate who is coming 
in. In other words, is it Jerry Cerasale or is it an imposter? And 
in order to have that data, in order to be able to authenticate, you 
need more data. 

So in the essence of access and then correction, it is going to re- 
quire more data, more accurate data, because you can have inac- 
curacies in marketing data. Tony says that it is great, but it is not 
as precise as Fair Credit Reporting data because it is not for eli^- 
bility; it determines what ad I will receive, what type of offer I will 
receive. And if a marketer is off, it is 95 percent correct, that is 
OK because it is not worth the expense to go to 100 percent, where- 
as in Fair Credit Reporting you need it. 

So having access and correction requires more data. And, of 
course, it is, therefore, more expensive, as well. So, I mean, let’s 
be truthful here. But I think it goes against the idea you are wor- 
ried about with data because you are going to create more data on 
the marketing side and requiring it to be more precise, and there- 
fore that is an issue. You need to have one bit of information more 
than the imposter in order to prevent that kind of fraud in that 
area. So it raises that problem. 

Senator Thune. Ms. Rich, the FTC released a report on con- 
sumer privacy in 2012 that recommended, and I quote, “companies 
should provide reasonable access to the consumer data they main- 
tain; the extent of access should be proportionate to the sensitivity 
of the data and the nature of its use,” end quote. 

The report continued that, for marketing data, the commission 
believes that the cost of providing individualized access to con- 
sumers would likely outweigh the benefits. 

Can you comment on that statement, expand on what the costs 
and benefits would be to have individualized access to marketing 
data? 

Ms. Rich. What we said in the report was that, you know — and, 
obviously, the report was a prelude to further discussion and poten- 
tially Congress acting, because at the time we were recommending 
legislation. 

But what we said in the report is that we saw a difference be- 
tween marketing data and, for example, fraud mitigation and iden- 
tity verification products, and that for marketing data it might be 
appropriate to not only give consumers access to the categories of 
data that is collected about them but to allow them to suppress use 
of the data, but not necessarily to give them individualized access. 

But we didn’t say there shouldn’t be access at all. We said there 
should be access to the categories of data and an ability to suppress 
use of the data. And then, for other products, it may be appropriate 
to give individualized information about the data. 

Senator Thune. OK. But the calculation you made, according to 
this at least, is that the individualized access to consumers would 
likely outweigh the benefits for marketing purposes. 

Ms. Rich. Yes. Yes. But for further consideration also by Con- 
gress. But, yes, we did see a difference, we did see a distinction be- 
tween marketing uses and other uses. 

Senator Thune. OK. 
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Mr. Chairman, thank you. 

The Chairman. Thank you. 

Senator Fischer? 

STATEMENT OF HON. DEB FISCHER, 

U.S. SENATOR FROM NEBRASKA 

Senator Fischer. Thank you, Mr. Chairman and Ranking Mem- 
ber. 

Ms. Rich, in your testimony, you referenced the commission’s ac- 
tivities with regard to enforcement. Can you describe to me what 
you think the focus of the enforcement activity should be? 

Ms. Rich. Well, we always, in our enforcement, focus on uses of 
data that have the potential to harm consumers. And most of our 
enforcement actions have been in the area of the Fair Credit Re- 
porting Act because that is where we have our strongest tools. And 
when data is used for purposes covered by the FCRA, it can be 
used to deny consumers important benefits like employment or 
credit. 

Senator Fischer. Do you think that the FTC has done a good job 
with its existing authority to address what has been the number- 
one consumer complaint for the past 13 years running, and that is 
fighting identity theft? 

Ms. Rich. We are trying our hardest. We don’t have the author- 
ity to go after the perpetrators of identity theft, but one of the main 
reasons we are so strong in our data security enforcement is that 
we do believe that it is the responsibility of companies to protect 
sensitive information, and to maintain and protect it from getting 
in the hands of identity thieves. 

Senator Fischer. Are you able to identify the thieves them- 
selves? And what happens then? How does that all work? 

Ms. Rich. Well, you know, many of the thieves are overseas. We 
do work with criminal authorities, and sometimes they are inves- 
tigating the thieves while we are investigating the companies that 
failed to maintain reasonable procedures to protect the data. 

Often, the thieves are never caught because they are in Russia 
or China. But if a company does not maintain reasonable proce- 
dures to protect data, we have some good tools to hold them liable. 
Although, we continue to recommend passage of a strong data secu- 
rity law that would give us civil penalty authority and strengthen 
those tools. 

Senator Fischer. Have you brought those forward before this 
committee? I am a new member on the Committee. Has the FTC 
suggested those in the past? 

Ms. Rich. Yes. Senator Rockefeller would be very — Chairman 
Rockefeller would be very familiar with our advocacy for data secu- 
rity and data breach legislation. 

Senator Fischer. OK. Thank you very much. 

Mr. Turow, when we talk about the data broker — and you had 
a definition of a data broker as somebody who connects the dots for 
marketers, is that correct, in your testimony? 

Mr. Throw. That is not my only definition, but certainly that is 
what they do. They can do that. 

One thing I would like to point out — may I go on? 

Senator Fischer. Yes. 
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Mr. Turow. One thing I would like to point out that I don’t know 
if we have had enough discussion about today, which is, it is not 
just discrete bits of information that is going on more and more 
and that are sold, and it is not just the aggregation of these. Real- 
ly, what is happening is the industry and so much of our world is 
turning into an actuarial activity. It really is the predictive ana- 
lytics that are changing the ballgame. 

And so a person can be giving out the most benign-sounding 
piece of data, and that can turn against him or her in an instant 
if it gets put into an algorithm that comes up with an either accu- 
rate or inaccurate sense of who that person is. 

And we have no way to deal with this at this point and no way — 
even to where I have been told in the ad industry that the word 
“soccer mom” — that I have had people tell me they don’t know, nec- 
essarily, how a person is tagged as a soccer mom. The number of 
data points — seriously told me this — the number of data points that 
are involved in designating a soccer mom, the person said in the 
ad agency to me, was such that they couldn’t tell me where that 
got that desi^ation from. 

Now, if it is true, that is very complicated. And if it is not true, 
that is a problem in itself. And I was trying to figure out why it 
is that ad companies can’t tell people where particular labels on 
them come from. And now I am being told more and more it is the 
algorithm, it is the predictability. 

Senator Fischer. With your definition or an expanded definition, 
then, how many private companies do you think can be classified 
as this, just in the United States? How many private companies 
are we talking about? 

Mr. Throw. I haven’t seen a definition, but I would agree that 
more and more we are dealing with companies of all sorts con- 
necting lots 

Senator Fischer. It would be like any small business? 

Mr. Throw. I wouldn’t worry 

Senator Fischer. The big box retailers? Who? 

Mr. Throw. — so much about a small business, but I would worry 
about big supermarkets. 

Senator Fischer. Big box retailers? 

Mr. Throw. I would worry about, yes, big box stores. I would 
worry about a whole lot of companies that on a daily — we haven’t 
talked about retail outlets and the fact that the Internet inside a 
store and the connecting of online and offline is taking place in- 
creasingly as people walk through looking at products, the so-called 
moment of truth, and how that relates to the algorithms I have 
been discussing. What does it mean to have predictive analytics 
stare you in the face while you are deciding diapers, OK, or some- 
thing even more important? 

And, in fact, the notion — it may be that Experian doesn’t deal 
with over-the-counter drugs, but there are companies that, in one 
way or another, take what people purchase over the counter and 
solicit opinions through sweepstakes about their health activities 
and purchases and sell them, very clearly. 

Senator Fischer. So what I hear you saying is what I believe, 
that really almost any retailer could be classified then 

Mr. Throw. If they share data, and I have 
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Senator Fischer. And how, then, do you believe the government 
should become involved in private business in this country, when 
you have that expanded definition? 

Mr. Throw. It obviously makes it much more complicated. And 
that is what I have begun to believe that, at least as a start, there 
may be some useful public discussion in asking how many data 
points firms are allowed to buy and sell about us at a time and how 
they can be merged to other data points, so that we won’t have con- 
tinual flows of data being appended to our lives. 

It is really an interesting difficulty that you bring up 

Senator Fischer. OK. Thank you. 

Mr. Throw. — aside from the fact that, for example, if you go to 
Kroger’s website and look at their privacy policy, I couldn’t figure 
out head nor tail whether they sell that stuff, because they use 
words like “affiliates” and “subsidiaries,” and it is done in such a 
way that it is extremely difficult to tell. 

And I know of one company that sells bracelets for health where 
I looked at their website, and basically at one point after they say 
what data they can get out of the bracelet, they say, some of this 
data might indicate poor health on your part. And then the issue 
is, what do they do with it? 

Senator Fischer. Right. 

Mr. Throw. And we don’t know. You can’t tell. 

Senator Fischer. Right. Thank you. 

Mr. Chairman, could I ask Ms. Rich if she wanted to say some- 
thing? She is eager 

Ms. Rich. I am going like this. 

Senator Fischer. And I was trying to stay within my time limit, 
seriously. Thank you, Mr. Chairman. 

Ms. Rich? 

Ms. Rich. I just wanted to add something to the point you were 
making about the number of data brokers. One of the things that 
we — the way we think about it at the FTC, to make it a more man- 
ageable issue and problem, is to focus on the non-consumer-facing 
data brokers, because, after all, if the issue is really about trans- 
parency, at least that is where the concerns are the greatest, that 
consumers don’t even know who those invisible, behind-the-scenes 
companies are. 

And although I think that there has been a lot of discussion 
about how the definition is so broad we can work on that. But I 
think it is kind of proof of the problem, not that there isn’t a solu- 
tion. Because the fact that Pam says there are thousands of data 
brokers and the Committee report says hundreds and the industry 
says hundreds, I mean, I think that is part of the problem. We 
don’t know who all these entities are and we don’t have a handle 
on it. And that is part of the proof that there really isn’t trans- 
parency in this industry. 

Senator Fischer. So would you say that just about any website 
that a person goes to, they are in danger of having information 
gathered that they may not want to have either private companies 
or the government know about? 

Ms. Rich. Well, I mean, as I was saying, if we are talking about 
the data broker issue, we would prefer to focus on the non-con- 
sumer-facing sites, where they are truly not transparent. 
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You know, we have other recommendations for consumer-facing 
websites. We think there should be choices and opt-outs there so 
that consumers have some ability to prevent sales to third parties 
if they so choose. 

But for this data broker problem, we at the FTC would really 
like to focus on the non-consumer-facing sites. 

Senator Fischer. OK. Thank you very much. 

Thank you, Mr. Chair. 

The Chairman. Thank you. Senator Fischer. 

We have a vote at 4:30. I would like to ask one more question. 

And this is coming right at you. Dr. Turow. You have been tak- 
ing all kinds of notes. 

Mr. Throw. I have. 

The Chairman. So you are ready. I would like to further explore 
the notion that data brokers are selling products to help marketers 
target pitches to the specific interests and needs of consumers. 

Let’s take a product called “Relying on Aid.” This is a grouping 
of consumers that the data broker defines as follows: “These single 
retirees of limited means and meager retirement savings are just 
barely able to make ends meet.” 

The description goes on to say, “With only a high school edu- 
cation at best, it has been hard to get ahead. Poorly insured and 
Medicare/Medicaid-dependent, they are generally pessimistic about 
their economic situation,” and, incidentally, about themselves. 

My question to you. Professor Turow: In your testimony, you 
highlight some other ways companies may be using such consumer 
lists that don’t necessarily involve product pitches, such as deciding 
who should have to wait longer for customer service, who should 
be rejected as a valued customer, or who should be offered coupons 
for only non-nutritious foods. 

What thoughts come to your mind when you hear data brokers 
are marketing descriptions like “Relying on Aid” to potential con- 
sumers? 

Mr. Throw. It is not unpredictable. It has been going on for 
years. It is a problem, I agree, and it is going to get worse as the 
baby boomers get older. I think we are only beginning to see the 
tip of the iceberg here. 

But I think one of the issues is also that, as we get more individ- 
ualized — 

The Chairman. What do you mean, tip of the iceberg? 

Mr. Throw. I think we are going to have this huge generation 
of older people in 15 years that are going to be 

Senator Thhne. Not you. 

[Laughter.] 

Mr. Throw. — divebombed with these kinds of offers. And I was 
beginning to say, it is going to be more particularized. 

The thing about that category. Chairman Rockefeller, is that it 
is a category. More and more, that is going to become anachro- 
nistic. And what it is going to be is a particular person who can 
be maybe even more persuaded because of other characteristics 
that predict that. So that category will be broken up 

The Chairman. Including low self-esteem. 

Mr. Throw. Yes, and a lot of other things: what kind of car they 
drive that leads them to be this, that, and the other thing. So that 
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you won’t even be able to point to the category in a catalog any- 
more; it will be something that you won’t be able to easily track 
down. And yet those people will be targeted increasingly because 
of the situations they are under. The same category, only divided 
up into millions and millions of people and personalized. 

The Chairman. So what would you do about it? 

Mr. Throw. As I said, I think — well, these are social questions. 
And I believe that we have to worry about the kinds and the 
amounts of data that get combined. I don’t have an answer for 
that. I think it is a very important social discussion. At this point 
in time, we haven’t had that social discussion. 

People don’t even know this stuff is going on. Our studies have 
shown that people know they are being tracked. But when you ask 
people basic questions of how this stuff works and how they think 
it works — we did a 2005 study in which Americans said, a majority, 
a clear majority of Americans said that they think that price dis- 
crimination is illegal. OK? 

We continually find that people see the word “privacy policy” on 
a website, they think it means — and we have done this five times 
in national surveys — they think the words “privacy policy” means 
that the site can’t share information about you without your per- 
mission. 

The ad icon is a great idea, but it doesn’t work. You know, the 
studies have shown, including one that we did a couple of years 
ago, that Americans, like Senator Booker, have no clue that it ex- 
ists most of the time. 

I suggest — and that is how I got into the algorithm thing. The 
idea for an icon that I had originally, before this one came out, was 
that when you clicked on an ad that was tailored to you, you could 
find out who gave you the ad, what were the elements of the ad, 
why did you get that particular ad just at that moment. 

But those data are considered too proprietary, and then people 
tell me the algorithm doesn’t help. And so, at this point in time, 
there is nobody who wants to volunteer to give that information. 

The Chairman. And people use barcoding, don’t they 

Mr. Throw. Well, I 

The Chairman. — to find out names and addresses and other 
stuff? 

Mr. Throw. Oh, yes. And even if you are anonymous — a very 
short example that happened to me. It is not quite a big data com- 
pany, but it shows the direction. 

I was at O’Hare, and I had to switch planes when one of my 
planes was canceled. So I went to the customer service place of the 
affiliated airline. They asked me to put my barcode in, and they 
gave me a number. On the side of me, on the screen, it said, the 
amount of time it will take to serve you will be based on your pri- 
ority in terms of your status with our loyalty program. 

The Chairman. Interesting. 

Mr. Throw. And so I, fortunately, had a lot of points, I got 
served pretty quickly, but I noticed there were people who were 
just sitting there. And that meant that they didn’t get the flights 
that they could have gotten. 
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The Chairman. This is segmenting Americans. It is pre-pre- 
dicting what will happen to them by virtue of the circumstances 
into which they fall. 

Mr. Throw. And who is valued 

The Chairman. And all the research has been done to put them 
in that situation so they can control how they market and maxi- 
mize their profit and maybe end up absolutely giving a horrible ex- 
perience to that consumer. 

Mr. Throw. I agree. 

The Chairman. Senator Thune, I have something I want to say, 
but you are important around here. Do you want 

Senator Thhne. No, go ahead. I am fine. 

The Chairman. OK. 

I want to come back — since before 9/11, I have been on the Intel- 
ligence Committee, and every day I wake up to seven newspapers 
with nothing but NSA headlines. And I am here to tell you, as one 
of the authors of FISA and the PATRIOT Act and all the rest of 
it, that the NSA is so secure in its protection of privacy as com- 
pared to this group that we are talking to, these data brokers, it 
is not even close. 

This affects, as was pointed out, anybody, everybody. Who 
knows? NSA knows. They are only likely to interact at a .000001 
percent of people that they conclude need, you know, further obser- 
vation. This is everybody, anybody, but more than that, divided 
into race, economic activities, education. 

And there is something — I can’t prove it is wrong, but there is 
something lethal about it. There is something unfair about it. It is 
something like — you know, if somebody is poor or less educated — 
and this is what I have spent my life — I come from West Virginia, 
where a lot of people face these problems. They are stigmatized. 
They have to live with it. The system is stacked against them. And 
a lot of people are making a lot of money out of it, and one are the 
data brokers. 

I am not asking for an argument because the bell just went off. 
But I am here to say that this is a very serious situation. I think 
everybody here agrees this has not been talked about. We have 
done an investigation of it, FTC has looked at it, you all have 
looked at it, you certainly have. And we have to continue on this 
thing. 

You know, the slogan of one of the companies that the Com- 
mittee reviewed in this investigation, the company says it lives by 
the following words: “Just because you can doesn’t mean you 
should.” Unfortunately, I have been thinking about this because to- 
day’s testimony and the Committee’s inquiry shows the industry as 
a whole is falling far short of that standard — appears to be falling 
far short of that standard. In fact, it seems to me the motto of data 
brokers is: “We can, and indeed we will.” Full of optimism. 

We heard from Ms. Dixon about the lists generated by data bro- 
kers from genetic disease sufferers and dementia sufferers to pay- 
day-loan responders, products that seem tailor-made for businesses 
seeking to take advantage of consumers. I hate that. I personally 
am revolted by that. I have seen it in the treatment of coal miners 
and their safety. I have seen it in every aspect of life in the state 
that I come from and elsewhere, living abroad. I don’t like it. 
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I think it is our job as a government to minimize that possibility 
and to bring out into sunlight what is going on. If Senator Booker 
doesn’t know that this is happening to him — he does now, and he 
doesn’t like it. Senator McCaskill really nailed something that 
could not be responded to. 

And so we are going to continue on this track. I think it is seri- 
ous, and I think it is a dark underside of American life on which 
people make a lot of money and cause a lot of people to suffer even 
more and, therefore, have even lower self-esteem, which is not the 
America we want. 

This hearing is adjourned. 

[Whereupon, at 4:30 p.m., the hearing was adjourned.] 




APPENDIX 


Response to Written Question Submitted by Hon. John D. Rockefeller IV 

TO Jessica Rich 

Question. Ms. Rich, the Commission currently has authority under the Fair Credit 
Reporting Act to seek enforcement actions against data brokers that provide infor- 
mation that is used to make eligibility decisions about consumers. Furthermore, the 
Commission has its broad organic authority under the FTC Act to enforce against 
unfair or deceptive acts or practices. However, the Commission lacks authority to 
mandate the type of transparency that all of the hearing’s witnesses apparently 
agree is important for the industry. In this context, does the FTC have authority 
to require data brokers to allow consumers to: 

• Access the information data brokers possess on them? 

• Correct any inaccuracies? 

• Affirmatively “opt out” and prevent the data broker from selling their informa- 
tion? 

Answer. Although the FTC has used its authority under the Fair Credit Reporting 
Act (FCRA) and the FTC Act to take action against unlawful practices by data bro- 
kers, the FTC does not have the authority to impose the requirements you identify. 
The FTC has consistently treated the Fair Credit Reporting Act (FCRA) as an en- 
forcement priority. It has brought almost 100 cases alleging violations of the FCRA, 
obtaining in excess of $30 million in civil penalties. However, as we explained in 
our March 2012 report Protecting Consumer Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers (Privacy Report), the FCRA cov- 
ers only some data broker activities. The FCRA generally does not cover data bro- 
kers that maintain data for marketing purposes and for other non-marketing pur- 
poses, such as to locate people or detect fraud. Thus, consumers do not have, for 
all data broker activities, the access, correction, or consumer control rights the 
FCRA provides for data brokers engaged in certain eligibility determinations. 

In addition, the FTC has used its authority under the FTC Act to address unfair 
or deceptive practices in the data broker industry. See, e.g., United States v. 
ChoicePoint, Inc., No. l:06-cv-00198 (N.D. Ga. Feb. 15, 2006) (FTC alleged, among 
other things, that a data broker engaged in unfair practices by failing to properly 
screen or monitor purchasers of sensitive consumer data) ; In re U.S. Search, Inc., 
FTC Docket No. C-4317 (Mar. 25, 2011) (FTC alleged that a data broker deceived 
consumers by offering an opt out that was ineffective). Unless they are implemented 
as remedies to a violation of the FTC Act, however, we do not currently have the 
authority to require data brokers to provide consumers with access or correction 
rights, or to allow consumers to suppress or opt out of the sale or use of data held 
by data brokers. 

In recognition of these gaps, the agency recommended legislation, in its March 
2012 Privacy Report, that would offer the consumer rights you have identified. 


Response to Written Questions Submitted by Hon. Kelly Ayotte to 

Jessica Rich 

Question 1. Earlier this year, FTC Commissioner Julie Brill called upon state AGs 
to take a more active role in investigating and holding accountable data brokers for 
violations of the Fair Credit Reporting Act. Can you talk about the role of state law 
enforcement officials in this field? Does your agency work closely with your state 
law enforcement counterparts on pursing privacy and marketing complaints? 

Answer. The FTC has consistently treated the Fair Credit Reporting Act (FCRA) 
as an enforcement priority. It has brought almost 100 cases alleging violations of 
the FCRA, obtaining in excess of $30 million in civil penalties. State attorneys gen- 
eral (AG) also have a role to play in enforcing the FCRA. Under section 621 of the 
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FCRA, state AGs can bring an FCRA enforcement action, so long as they provide 
the FTC and the Consumer Financial Protection Bureau with advance notice; the 
FTC has the right to intervene in such matters. This provision ensures that states 
coordinate their FCRA enforcement efforts with the appropriate Federal regulators. 
In addition, we work very closely with the states to educate identity theft victims 
of their rights under the FCRA. Our Tax Identity Theft Awareness week, involving 
multiple outreach events across the country, is a good example of our collaborative 
efforts with states to protect consumers in this area. See ftc.gov / taxidtheft. 

Outside the FCRA, the FTC and state AGs cooperate often on privacy and secu- 
rity and related marketing investigations. One notable example is the action the 
FTC brought with 35 state AGs against LifeLock for deceptive claims about the ef- 
fectiveness of LifeLock’s identity theft services and its security measures. This 2010 
action is one of the largest FTC-state coordinated privacy-related settlements on 
record. The FTC has also pursued several Do Not Call privacy cases with state AGs 
serving as co-plaintiffs, including enforcement actions brought against Dish Net- 
work, LLC, United States Benefits, LLC and Worldwide Info Services, Inc. In addi- 
tion, the FTC participates in monthly telephone conferences with members of the 
National Association of Attorneys General’s Do Not Call working group. The FTC 
continues to coordinate with state AGs on a variety of law enforcement investiga- 
tions involving privacy and security in order to avoid duplication of efforts and en- 
sure appropriate and responsible allocation of enforcement resources. 

Question 2. When we look at current Federal law governing data brokers, we have 
Fair Credit Reporting Act, Graham-Leach-Bliley, HIPPA, Children’s Online Privacy 
Protection Act, and Electronic Communications Privacy Act. Plus there are 50 AGs 
policing behavior and activity. In addition to that, we have brokers touting their ag- 
gressive self-regulatory policies. Can you address specifically what more legislation, 
mandates or regulations you think we need? Some have argued that before we add 
more laws and/or regulations to the books, we should enforce the ones we have. 

Answer. While these statutes all provide important protections for consumer data, 
they have limitations. Gramm-Leach-Bliley, for example, applies only to financial in- 
stitutions; HIPAA covers only medical records maintained by specifically defined 
medical providers; the Children’s Online Privacy Protection Act does not cover data 
collection or use for individuals age 13 and over; and the Electronic Communications 
Privacy Act is focused on government access to electronic data. Similarly, as we ex- 
plained in our March 2012 report Protecting Consumer Privacy in an Era of Rapid 
Change; Recommendations for Businesses and Policymakers (Privacy Report), the 
Fair Credit Reporting Act covers only some data broker activities. The FCRA gen- 
erally does not cover brokers that maintain data for marketing purposes and for 
other non-marketing purposes, such as to locate people or detect fraud. 

The Commission agrees that self-regulation can be an effective way to protect con- 
sumer interests while promoting innovation. The Commission has long supported ro- 
bust, enforceable self-regulatory mechanisms established by industry to protect con- 
sumers. As we noted in our Privacy Report, however, self-regulatory efforts by the 
data broker industry have lagged. The Commission has monitored data brokers 
since the 1990s. In 1997, the Commission held a workshop to examine database 
services used to locate, identify, or verify the identity of individuals, referred to at 
the time as “individual reference services.” The workshop prompted industry mem- 
bers to form the self-regulatory Individual Reference Services Group (IRSG). The 
Commission subsequently issued a report on the workshop and the IRSG in which 
it commended the progress made by the industry’s self-regulatory programs, but 
noted that the industry’s efforts did not adequately address the lack of transparency 
of data broker practices. Although industry ultimately terminated the IRSG, a series 
of public breaches — including one involving ChoicePoint — led to renewed scrutiny of 
the practices of data brokers. The Privacy Report noted that the industry has con- 
tinued to operate since then with a lack of transparency. To address this concern, 
the Privacy Report expressed support for legislation that would give consumers ac- 
cess to information held by data brokers. 
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Response to Written Question Submitted by Hon. Amy Klobuchar to 

Jerry Cerasale 

Question. Most consumers would like to believe that any of their personal infor- 
mation held by companies is private, secure, and accurate. However, with rapidly 
changing marketing strategies and technology platforms, consumers are no longer 
sure that this is the case. 

Mr. Cerasale: How do your members, both large and small marketers, work to 
promote consumer trust in your services? How can a lack of consumer trust in pri- 
vate data storage and use policies impact the broader economy? 

Answer. Consumer trust forms the bedrock of the Data-Driven Marketing Econ- 
omy — and the American economy as a whole. Consumer trust is critical to a com- 
pany’s success, regardless of the size of the business. This is especially true for re- 
mote sellers that rely on customers to purchase goods sight unseen. Businesses have 
every incentive to protect and promote consumer trust in the goods and services 
they deliver. 

While businesses are already incentivized to promote consumer trust, DMA sup- 
ports this incentive with a robust ethics and compliance program that calls on its 
members to adhere to its Guidelines on Ethical Business Practice. For more than 
four decades, DMA has administered its Guidelines and promoted accountability for 
its members, setting a high bar for responsible marketing. The DMA Ethics Policy 
and Ethics Operating Committees develop, update and enforce DMA’s Guidelines as 
part of DMA’s public trust with regulators and consumers. The accountability pro- 
gram is flexible enough to address ongoing changes in technology, markets, con- 
sumer interest and new business practices. 

Data security is a prime example of DMA’s commitment to maintaining consumer 
trust, having long served as a core principle of the DMA’s Guidelines. Like many 
elements in the Guidelines, the DMA’s data security standards have remained far 
from static. In January 2014, the DMA approved updated Business Ethical Guide- 
lines on data security, calling on every data-driven marketer to take proactive meas- 
ures to further enhance data security across the data-driven marketing industry. 

In addition to data security, DMA members are committed to offering consumers’ 
choice, and to using marketing data for marketing purposes, not for eligibility such 
as employment and financial transactions. These and other consumer-friendly prac- 
tices help build and maintain trust in the data-driven marketplace. 

When it comes to assessing whether businesses have gained consumers’ trust and 
confidence, the proof is in the numbers. Remote selling, including through 
ecommerce, is a fast growing segment of our economy. More broadly, the data-driven 
marketing economy (“DDME”) added $156 billion in revenue to the U.S. economy 
and fueled more than 675,000 jobs in 2012 alone. 

$110 billion and 46,000 jobs depend on the ability of firms to exchange data across 
the DDME.i Indeed, responsible use of data by marketers has revolutionized one of 
the most costly aspects of doing business in any industry. As businesses of all sizes 
innovate to deliver more efficient, convenient, and secure marketing and trans- 
actional solutions, consumers are responding with a vote of confidence with their 
feet and with their pocketbooks. 


Response to Written Questions Submitted by Hon. Kelly Ayotte to 
Jerry Cerasale 

Question 1. Do self-regulatory programs, such as the DMA’s Guidelines for Ethical 
Business Practice, and other industry codes of conduct based on these and other 
guidelines, promote responsible use and sharing of data in the marketplace? How 
widespread is adoption of these programs in the marketing industry? How do gov- 
erning organizations enforce the rules of these programs against bad actors? 

Answer. Yes. Self-regulatory programs, like the one administered by the DMA, 
not only promote, but also require companies to engage in the responsible use and 
sharing of data in the data driven marketing economy (“DDME”). The DMA believes 
that self-regulation and education are important components for addressing con- 
sumer privacy while ensuring that data flows continue to benefit consumers and the 
economy. 

DMA Reach & Scope. The DMA has established an enforceable framework of in- 
dustry best practices that focus on providing transparency, choice, and other protec- 
tions to consumers. At the foundation of this framework are the DMA Guidelines 


1 Deighton and Johnson, The Value of Data: Consequences for Insight, Innovation & Efficiency 
in the U.S. Economy (2013), available at httpij ! ddminstitute.thedma.org ! itvalueofdata 
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for Ethical Business Practice (“DMA Guidelines”), which have been adopted by all 
DMA members, representing every segment of the marketing industry. In addition, 
the DMA enforces its guidelines against both members and non-members covering 
thousands of companies, making the DMA Guidelines the standard for the industry. 

DMA members deeply value consumer trust and understand that responsible data 
practices are critical to building and maintaining customer relationships. To that 
end, the DMA and its members have developed and implemented more than 50 code 
sections in the DMA Guidelines that regulate marketing data practices, which are 
regularly updated to adapt to new technologies and business practices. The DMA 
Guidelines address a wide variety of marketing practices including, the conduct of 
data brokers, sweepstakes, mobile marketing, internet-based marketing, and 
texting. 

Enforcement. The DMA has a long history of enforcing these guidelines. The DMA 
Guidelines have been applied to hundreds of cases concerning a wide range of issues 
including deception, unfair business practices and personal information protection. 
In addition, companies that represent to the public that they are DMA members, 
but fail to comply with the DMA Guidelines, may be liable for deceptive advertising 
under Section 5 of the FTC Act and comparable state laws. 

Compliance Process. The DMA receives complaints from consumers, members, 
nonmembers, and consumer protection agencies. These complaints are reviewed by 
the DMA’s Ethics Operating Committee and if a potential violation is found to exist, 
the company will be contacted, investigated, and advised on how it can cure the vio- 
lation. Most companies work with the Ethics Operating Committee voluntarily to 
cease or change the questioned practice. However, if a company does not cooperate 
with the Ethics Operating Committee, action can be taken by the Board of Directors 
and the results of the investigation may be made public. For example, from Feb- 
ruary 2012 to June 2013, the DMA Corporate & Social Responsibility Committee re- 
viewed 55 cases and 12 of these were made public. ^ Additional Board actions could 
include public censure, suspension or expulsion from the DMA. The DMA also refers 
cases to Federal and state law enforcement authorities for review when appropriate. 

Education. Beyond enforcement of the DMA Guidelines, the DMA also provides 
education to both businesses and consumers about responsible data collection and 
use. Through the regular publishing of case reports that summarize questioned mar- 
keting promotions, webinars, in-person seminars, and regular communication with 
its members, the DMA helps to promote best practices in the industry. This commu- 
nication and education is a great benefit to small businesses as they begin to mar- 
ket their products and services to consumers. The DMA also maintains a section of 
our website focused on consumers entitled “Consumer Help,” and offers consumers 
a centralized tool to help manage their direct mail and e-mail preferences at 
DMAChoice.org. 

Question 2. In large part. New Hampshire’s economy depends on small businesses 
and start-up companies. My husband is the owner of a small business. Does the use 
and sharing of data across all sectors of the economy help or hurt the ability of 
small businesses to compete with larger entities in the marketplace? Does the use 
and sharing of data increase or decrease barriers to entry in the marketplace? How 
do these trends impact job creation? 

Answer. Small businesses benefit significantly from the use and sharing of data. 
A recent study entitled. The Value of Data: Consequences for Insight, Innovation & 
Efficiency in the U.S. Economy (“Value of Data”), quantified the important role that 
the use and sharing of data plays in fueling economic growth.^ This study, which 
was conducted independently by Professors John Deighton of Harvard Business 
School and Peter Johnson of Columbia University, revealed that the Data Driven 
Marketing Economy (“DDME”) was a major asset to small businesses and start-ups. 

The Value of Data study found that the sharing of data across the DDME enables 
small businesses to compete effectively with larger competitors. Data gives all com- 
panies, and especially small businesses, the ability to effectively match products to 
customers both on and offline, lowering barriers to market entry for specialized or 
niche offerings. Thanks to the responsible use and sharing of data across the econ- 
omy, small business have access to data they would not otherwise have available 
to them, enabling them to more efficiently and effectively market their products and 
better compete in the marketplace. Data sharing also allows small businesses to in- 


1 Direct Marketing Association, DMA Annual Ethics Compliance Report 2012-2013 (2013), 
available at http:! ! thedma.org ! compliance ! . 

2 Deighton and Johnson, The Value of Data: Consequences for Insight, Innovation & Efficiency 
in the U.S. Economy (2013), available at http: 1 1 ddminstitute.thedma.org I #valueofdata (herein- 
after “The Value of Data”). 
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crementally build their customer base, and grow their product in ways never before 
available to companies of their size. 

The Value of Data study also found that the DDME generated $156 billion in rev- 
enue to the United States economy and fueled more than 675,000 jobs in 2012 alone. 
Further, the study found that an additional 1,038,000 people owe their employment 
to these DDME jobs.® The study also found that in New Hampshire, the DDME was 
responsible for $1 billion in revenue and 3,000 jobs in the state’s economy.'^ The 
study estimated that 70 percent of the value of the DDME — $110 billion in revenue 
and 475,000 jobs nationwide — depends on the ability of firms to share data across 
the DDME. If this ability to share data were curtailed, those jobs and revenue 
would be impacted and the U.S. economy would be much less efficient. 

o 


^The Value of Data at 74. 
‘^The Value of Data at 96—98. 



